Five Terminator movies have taught us nothing

In a new study of leading robot manufacturers, most were found to be vulnerable

terminator action figure
Adam Dachis (CC BY 2.0)

You might think that after watching SkyNet battle humans through five movies and a television series, that robot manufacturers would be building in some safeguards. You would be wrong.

In a new study of leading robot manufacturers, most had serious security vulnerabilities which could allow hackers to take over and reprogram the robots to spy on their owners, cause property damage, or even attack humans.

"We have already seen accidents in industry," said Lucas Apa, senior security consultant at at IOActive, which produced the report. So far, there's no evidence that those accidents were caused by hackers, he said, but it might just be a matter of time.

"Cybercriminals typically try to target technology when it is massively adopted," he said.

Smart, internet-connected robots are relatively new, he said, and the relatively low numbers in use right now might not yet be worth the time and effort it would take criminals to hack into them.

But should they want to, there are a large number of vulnerabilities in most robots as well as in popular robot programming frameworks.

The most widely used framework, ROS, was originally designed to be used in a research environment, said Apa, and is extremely insecure.

"They know that they have different vulnerabilities," he said. "But there are still companies that adopt it."

IOActive also looked at the NAO and Pepper robots from SoftBank Robotics, the Alpha 1S and Alpha 2 robots from Ubtech Robotics, the Robotis OP2 and Thormang 3 robots from Robotis, the UR3, UR5, UR10 robots from Universal Robots, the Baxter and Sawyer robots from Rethink Robotics and several robots from Asratec.

The most dangerous of the vulnerabilities is the lack of authentication, said IOActive's CTO Cesar Cerrudo.

"If you are an attacker and you're in the same network, the lack of authentication means that you can just connect to the robot, modify the software, et cetera," he said. "That's one of the most dangerous problems."

Most of the robots tested had this problem, though IOActive declined to spell out which vendors had which problems.

In addition, the company contacted the manufacturers six weeks ago. Only two responded. One of the manufacturers said they planned to fix issues in an upcoming release.

"And the other one said, 'This is very interesting. We should do something about it.' And that's it," said Apa.

Another problem with the robots is that while there was usually a way to update or patch the software, two of the six manufacturers did not have a factory reset option on their robots.

"So if the robot is already hacked, and the operating system is compromised, it's almost impossible to revert the robot to its original state," he said. "You have to ship the robot back to the manufacturer so that they can repair it, and it can cost a lot of money."

And speaking of the update mechanism, there were vulnerabilities there, as well.

"Maybe the user is not getting a real update, but a malicious one," said Cerrudo.

Apa said that he hopes the new report will bring some attention to the problem, so that the security issues can get addressed as early as possible.

"Very soon, there will be robots all around," said Cerrudo. "They're being implemented in airports, in stores. It's growing, the robot adoption, and it's important that we start doing something right now about the security problems. If we wait until the robots are everywhere, it will be really bad for humans and for business."

I'll be back... right after I comment over on Facebook.

Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)