Security flaws in popular robots let hackers spy on owners
Cyber vulnerabilities found in robots manufactured for home, business and industrial purposes that were discovered by researchers earlier this year still have not been addressed, it has been warned.
The researchers, Cesar Cerrudo and Lucas Apa of cyber security firm IOActive, said the vulnerabilities would allow hackers to spy on users, disable safety features and make robots lurch and move violently, putting users and bystanders in danger.
While they say there are no signs that hackers have exploited the vulnerabilities, the fact that the robots were hacked so easily and the manufacturers’ lack of response raises questions about allowing robots in homes, offices and factories.
“Our research shows proof that even non-military robots could be weaponized to cause harm,” Apa said in an interview.
“These robots don’t use bullets or explosives, but microphones, cameras, arms and legs. The difference is that they will be soon around us and we need to secure them now before it’s too late.”
His comments come in the wake of a letter signed by more than 100 leading robotic experts urging the United Nations to ban the development of killer military robots, or autonomous weapons.
Apa, a senior security consultant, said that of the six manufacturers contacted, only one, Rethink Robotics, said some of the problems had been fixed. He said he had not been able to confirm that as his team does not have access to that particular robot.
A spokesman for Rethink Robotics, which makes the Baxter and Sawyer assembly-line robots, said all but two issues – in the education and research versions of its robots – had been fixed.
Apa said a review of updates from the other five manufacturers – Universal Robots of Denmark, SoftBank Robotics and Asratec Corp of Japan, Ubtech of China, and Robotis Inc of South Korea – led him to believe none of the issues he had raised had been fixed.
Asratec said that software released for its robots so far was limited to “hobby-use sample programs”, and it believed IOActive was pointing to security vulnerabilities in those. Software it planned to release for commercial use would be different, it said.
Robotis declined to comment. The three other manufacturers did not immediately respond to emailed requests for comment.
The slow reaction by the robot industry was not surprising, said Joshua Ziering, founder of Kittyhawk.io, a commercial drone software company. “A new technology bursts on to the market and people fail to secure it,” he said.
Cyber-security experts said the robot vulnerabilities were alarming, and cyber criminals could use them to disrupt factories by ransomware attacks, or with robots slowed down or forced to embed flaws in the products they are programmed to build.
“The potential impact to companies, and even countries, could be massive,” said Nathan Wenzler, chief security strategist at AsTech, a San Francisco-based security consulting company, “should an attacker exploit the vulnerability within the applications that control these robots.”
Even in the home, danger lurks, said Apa, demonstrating how a 43.18cm-tall Alpha 2 robot from Ubtech could be programmed to violently jab a screwdriver.
“Maybe it’s small and it’s not really going to hurt right now, but the trend is that the robots are going to be more powerful,” he said. “We tested industrial ones, which are really heavy and powerful, and some of the attacks work with them.”
Apa and Cerrudo released their initial findings in January.
This week, they released details about the specific vulnerabilities they found, including one case where they mix several of those vulnerabilities together to hijack a Universal Robot factory robot, making it lurch about and be a potential threat.
Earlier this month South Korea began pondering changes to its tax laws that would disincentivise companies from replacing workers with robots in an attempt to slow down the pace of automation.