It has been discovered that a number of popular industrial and home robots are easy to compromise and made to spy on people, or even remotely controlled to attack their owner, security researchers say.
A cybersecurity firm IOActive has put out a report in which their researchers showed how easily they can hack into collaborative robots due to the vulnerabilities in their systems that allow the hackers to spy on users, turn off the safety settings and even control the robots so they cause physical harm to their owners and surroundings.
Lucas Apa and Cesar Cerrudo wrote the technical paper called “Hacking Rotos before Skynet” in which they said that hacked robots can pose as an insider threat to organizations, homes, and industries and that their capabilities can be used for wrong purposes by hackers via remote vulnerabilities.
The researchers studied machines from multiple vendors, such as Universal Robots from Denmark, UBTech Robotics from China, Softbank, Robotis and such.
Industrial robot arms from Universal Robotics were easy to remotely compromise, said the researchers. These are designed to work alongside humans – and the researchers say they managed to hack the software that controls the arms and turn off the safety measures.
The researchers warned that the robotic arms have enough power to cause a skull fracture, even though they do run at low speeds.
Further on, the Android app for the robot called Alpha 1S has no safety measures and is easily hackable due to not verifying a cryptographic signature when downloading an update, which could potentially allow a malicious actor to carry out a “man-in-the-middle” attack and drop malware to infect the device.
As for the SoftBank’s Pepper and NAO, researchers said that the software running in the robots, Naopqi does not perform an authorization check when operating, making it easy for attackers to compromise the device by using a piece of code that allows them to record video and audio with robots’ front camera.
IOActive said it has informed the companies of the vulnerabilities, but it seems that none of the companies took their warning seriously and there is little evidence that any of them are doing anything to fix the said vulnerabilities.
UBTech’s North America general manager John Rhee issued a statement saying that the firm is aware of the IOActive’s demonstration that involves one of their products and continues by saying that the depiction is exaggerated. He says that UBTech encourages its developer community to code responsibly and discourages inappropriate robot behavior.
Asratec chimed in by saying that the software released thus far is limited to hobby use sample programs. The company said that the vulnerabilities made public by the researchers were of that particular software and said that another one will be put for commercial use.
SoftBank Robots said it has already identified the vulnerabilities and fixed them, while UBTech said it has fully addressed any concerns raised by IOActive that do not limit our developers from programming their bots.