Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security //

Zombie

8/24/2017
06:41 PM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Programmed to Kill: The Risk of Hacked Robots Is Real

When will the news break of the first hacked robot taking a human life? It could be sooner than you think.

It’s only a matter of time before robots could be an aggressive force against humans unless security vulnerabilities in retail and commercial robots are patched. The findings come from a release of data by robotic security expert IOActive, which says that the proliferation of robots multiplied by a growing number of exploits could mean bodily injury, death, the loss of intellectual property and illegal monitoring of members of the public.

Robots operating in isolation is one thing, but so-called "cobots" working in tandem with humans hold the gravest threat. And, this is not scaremongering, it could be happening now. The US Department of Labor keeps track of robotic injuries to the workforce, containing 38 pages of deaths and severe injuries to date -- caused by robotic malfunction, not hacking.

But a growing number of hackers are expected to take advantage of insecure software systems to manipulate robot programming and turn legions of automatons to the dark side. Cesar Cerrudo, CTO at IOActive, said, "When you think of robots as computers with arms, legs or wheels, they become kinetic IoT devices that, if hacked, can pose new serious threats we have never encountered before."

How does it happen? Click here to see a UBTech Alpha 2 robot hacked to demonstrate how injury can be caused. Click here to see SoftBank’s NAO and Pepper repurposed for espionage.

So where does responsibility lie for injury, loss of IP and privacy, to name a few? Right now, it’s up to the ecosystem chain to define and own the legal liability for their individual piece. This breaks down across connectivity, hardware and software, but ultimately it’s difficult for robot manufacturers to remain watertight in terms of the end device.

It’s best practice, according to Jim Shulkin, vice president of marketing at IOActive, to assume a "Def Con One" stance that any connected device is either under attack or is a target. That seems very cumbersome but it's a testimony to the potential damage that could be caused and how risk averse everyone needs to be.

A weapon against such evolving threats is machine learning, to either predict or learn patterns through training data that keep hackers at bay before the hurt. However, this embryonic area has some immediate challenges before it goes into the wild.

"Programming a machine to learn is one thing, (but) teaching a machine to think like a skilled human attacker -- which is who is ultimately behind a cybersecurity breach -- is a difficult, if not impossible proposition," Shulkin told Security Now. "So, (machine learning) likely will have an evolving place in predictive/proactive security, but won't be a replacement for the human adversarial mindset anytime soon."

Conversely, there are limitations to the human brain. "(Manufacturers and developers) can’t be expected to have the technical expertise to determine the cybersecurity posture of the products," said Shulkin, meaning that vulnerabilities evolve once the robot has securely left the box.

These vulnerabilities will surely multiply as investors power the startup market. The Financial Times estimates that venture capital investments in robotics reached $587 million in 2015, nearly quadrupling to $1.95 billion in 2016. According to Angel List, there are currently 871 startup companies in the sector, attracting funding from 2,459 investors. Overall global spend will increase, according to IDC, to reach $188 billion by 2020.

John Santagate, research manager, supply chain at IDC Manufacturing Insights said, "This growth is really fueled by a combination of technology improvements, expanded use cases and acceptance in the market. Innovators in the field of robotics are delivering robots that can be used to perform a broader range of tasks, which is helping to drive the adoption of robotics into a wider base of industries."

IOActive identified weaknesses in mainstream robot manufacturing companies, including units developed by SoftBank, UBTECH Robotics, ROBOTIS, Universal Robots, Rethink Robotics and Asratec Corp. Some of 50 identified cybersecurity exploits fall within the following categories:

  • Insecure communicationsAuthentication issues
  • Missing authorization
  • Weak cryptography
  • Privacy issues
  • Weak default configuration
  • Vulnerable open robot frameworks and libraries

IOActive confirmed that to date, no malfunctions have yet been identified as hacker activity.

Related posts:

Simon Marshall has worked within and around the telecom and IT industries for 21 years. Simon cut his teeth as editor-at-large at totaltelecom.com in the late Nineties, drove strategic communication and product marketing plans for Qualcomm, Neustar and Redknee during the Noughties, and lives today as a technical consultant, active tech news junky and content underwriter at Security Now.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20934
PUBLISHED: 2020-11-28
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
CVE-2020-29368
PUBLISHED: 2020-11-28
An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
CVE-2020-29369
PUBLISHED: 2020-11-28
An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.
CVE-2020-29370
PUBLISHED: 2020-11-28
An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.
CVE-2020-29371
PUBLISHED: 2020-11-28
An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.