Cybersecurity for robots weakening as automation grows
With the industry moving more toward increased connectivity and stronger automated environment, the use of robots is becoming much stronger. The catch is, though, security for robots, both home and industrial is severely lacking, according to research from IOActive.
The growth of robots continues to rise, according to the International Federation of Robotics (IFR). Unit sales of industrial robots grew 15% in 2015, while revenues increased 9% to $11 billion. In 2016 revenues in North America rose by 14%, to $1.8 billion. Consulting group, ABI Research, said the industry′s sales will triple by 2025.
Simply put, the use of robots continues to grow, but will security follow suit?
A slew of vulnerabilities, including authentication/authorization issues and bypasses, insecure transport of data and firmware update mechanisms, undocumented methods, hard-coded passwords, unencrypted storage, easily disabled human safety protections, can end up exploited to allow attackers to spy on users, hijack the robots, brick them and potentially hurt humans around them, the research said.
Traditional industrial robots often end up used to perform duties that are dangerous or unsuitable for workers; therefore, they operate in isolation from humans and other valuable machinery.
"This is not the case with the latest generation collaborative robots, or cobots. They function with co-workers in shared workspaces while respecting safety standards. This generation of robots works hand-in-hand with humans, assisting them, rather than just performing automated, isolated operations," said IOActive researcher Lucas Apa.
"Cobots can learn movements, ‘see’ through HD cameras, or ‘hear’ through microphones to contribute to business success."
Along those lines, IOActive audited cobot vendors to see where they stood.
"In accordance with IOActive’s responsible disclosure policy we contacted the vendors last January, so they have had ample time to address the vulnerabilities and inform their customers," Apa said. "Our goal is to make cobots more secure and prevent vulnerabilities from being exploited by attackers to cause serious harm to industries, employees, and their surroundings."
Robots usually have exposed connectivity ports that allow physically present users to fiddle with them (via special USB devices, Ethernet connections), but unfortunately there are also ways for remote attackers to interfere with the robots’ safety features (collision detection and avoidance mechanisms), which can result in serious injuries.
An attacker can chain multiple vulnerabilities, for which the researcher found over 50, in a leading cobot to remotely modify safety settings, violating applicable safety laws and, consequently, causing physical harm to the robot’s surroundings by moving it arbitrarily.
"This attack serves as an example of how dangerous these systems can be if they are hacked. Manipulating safety limits and disabling emergency buttons could directly threaten human life," Apa said. "Imagine what could happen if an attack targeted an array of 64 cobots as is found in a Chinese industrial corporation."
This is not the first report of hackable robots.
Numerous factory robots have weak network security, using simple combinations of username and passwords that couldn’t even be changed; others didn’t even need a password.
Trend Micro released a research paper that found not only do robots have poor network security but they aren’t faring much better when it comes to software protection either. Some, the researchers said, even ran on outdated software.
Tens of thousands of robots using public IP addresses ended up discovered, which means they were extremely easy to hack.
Some of these industrial machines can receive commands from operators from afar, from a computer or phone. If the connection linking the two is not secure, hackers could use this vulnerability to hijack the machines.
They filmed a test on a robot programmed to draw a straight line. Researchers reverse engineered the RobotWare control program and the connected software and had the machine draw a line that was 2 mm off. That may seem like a small deed, but when applied to certain products these robots are built to create, the slightest miscalculation can translate into a catastrophe.
"In industrial devices, the impact of a single, simple software vulnerability can already have serious consequences. Depending on the actual setup and security posture of the targeted smart factory, attackers could trigger attacks that could amount to massive financial damage to the company in question or at worst, even affect critical goods," researchers said.
Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media, firstname.lastname@example.org.
See related stories from ISSSource linked below.