Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security //

Zombie

8/24/2017
06:41 PM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Programmed to Kill: The Risk of Hacked Robots Is Real

When will the news break of the first hacked robot taking a human life? It could be sooner than you think.

It’s only a matter of time before robots could be an aggressive force against humans unless security vulnerabilities in retail and commercial robots are patched. The findings come from a release of data by robotic security expert IOActive, which says that the proliferation of robots multiplied by a growing number of exploits could mean bodily injury, death, the loss of intellectual property and illegal monitoring of members of the public.

Robots operating in isolation is one thing, but so-called "cobots" working in tandem with humans hold the gravest threat. And, this is not scaremongering, it could be happening now. The US Department of Labor keeps track of robotic injuries to the workforce, containing 38 pages of deaths and severe injuries to date -- caused by robotic malfunction, not hacking.

But a growing number of hackers are expected to take advantage of insecure software systems to manipulate robot programming and turn legions of automatons to the dark side. Cesar Cerrudo, CTO at IOActive, said, "When you think of robots as computers with arms, legs or wheels, they become kinetic IoT devices that, if hacked, can pose new serious threats we have never encountered before."

How does it happen? Click here to see a UBTech Alpha 2 robot hacked to demonstrate how injury can be caused. Click here to see SoftBank’s NAO and Pepper repurposed for espionage.

So where does responsibility lie for injury, loss of IP and privacy, to name a few? Right now, it’s up to the ecosystem chain to define and own the legal liability for their individual piece. This breaks down across connectivity, hardware and software, but ultimately it’s difficult for robot manufacturers to remain watertight in terms of the end device.

It’s best practice, according to Jim Shulkin, vice president of marketing at IOActive, to assume a "Def Con One" stance that any connected device is either under attack or is a target. That seems very cumbersome but it's a testimony to the potential damage that could be caused and how risk averse everyone needs to be.

A weapon against such evolving threats is machine learning, to either predict or learn patterns through training data that keep hackers at bay before the hurt. However, this embryonic area has some immediate challenges before it goes into the wild.

"Programming a machine to learn is one thing, (but) teaching a machine to think like a skilled human attacker -- which is who is ultimately behind a cybersecurity breach -- is a difficult, if not impossible proposition," Shulkin told Security Now. "So, (machine learning) likely will have an evolving place in predictive/proactive security, but won't be a replacement for the human adversarial mindset anytime soon."

Conversely, there are limitations to the human brain. "(Manufacturers and developers) can’t be expected to have the technical expertise to determine the cybersecurity posture of the products," said Shulkin, meaning that vulnerabilities evolve once the robot has securely left the box.

These vulnerabilities will surely multiply as investors power the startup market. The Financial Times estimates that venture capital investments in robotics reached $587 million in 2015, nearly quadrupling to $1.95 billion in 2016. According to Angel List, there are currently 871 startup companies in the sector, attracting funding from 2,459 investors. Overall global spend will increase, according to IDC, to reach $188 billion by 2020.

John Santagate, research manager, supply chain at IDC Manufacturing Insights said, "This growth is really fueled by a combination of technology improvements, expanded use cases and acceptance in the market. Innovators in the field of robotics are delivering robots that can be used to perform a broader range of tasks, which is helping to drive the adoption of robotics into a wider base of industries."

IOActive identified weaknesses in mainstream robot manufacturing companies, including units developed by SoftBank, UBTECH Robotics, ROBOTIS, Universal Robots, Rethink Robotics and Asratec Corp. Some of 50 identified cybersecurity exploits fall within the following categories:

  • Insecure communicationsAuthentication issues
  • Missing authorization
  • Weak cryptography
  • Privacy issues
  • Weak default configuration
  • Vulnerable open robot frameworks and libraries

IOActive confirmed that to date, no malfunctions have yet been identified as hacker activity.

Related posts:

Simon Marshall has worked within and around the telecom and IT industries for 21 years. Simon cut his teeth as editor-at-large at totaltelecom.com in the late Nineties, drove strategic communication and product marketing plans for Qualcomm, Neustar and Redknee during the Noughties, and lives today as a technical consultant, active tech news junky and content underwriter at Security Now.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
APT Groups Set Sights on Linux Targets: Inside the Trend
Kelly Sheridan, Staff Editor, Dark Reading,  9/11/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9739
PUBLISHED: 2020-09-18
Adobe Media Encoder version 14.3.2 (and earlier versions) has an out-of-bounds read vulnerability that could be exploited to read past the end of an allocated buffer, possibly resulting in a crash or disclosure of sensitive information from other memory locations. User interaction is required to exp...
CVE-2020-9744
PUBLISHED: 2020-09-18
Adobe Media Encoder version 14.3.2 (and earlier versions) has an out-of-bounds read vulnerability that could be exploited to read past the end of an allocated buffer, possibly resulting in a crash or disclosure of sensitive information from other memory locations. User interaction is required to exp...
CVE-2020-9745
PUBLISHED: 2020-09-18
Adobe Media Encoder version 14.3.2 (and earlier versions) has an out-of-bounds read vulnerability that could be exploited to read past the end of an allocated buffer, possibly resulting in a crash or disclosure of sensitive information from other memory locations. User interaction is required to exp...
CVE-2020-0089
PUBLISHED: 2020-09-18
In the audio server, there is a missing permission check. This could lead to local escalation of privilege regarding audio settings with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-137015603
CVE-2020-0262
PUBLISHED: 2020-09-18
In WiFi tethering, there is a possible attacker controlled intent due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-156353008