Engineering news
The research paper, Hacking Robots Before Skynet, by security services company IOActive, identifies multiple vulnerabilities in industrial robotic systems, including many graded as “high or critical risk”. If hacked, robots could be used to maliciously spy on people via their microphone or camera, be used to leak personal or business data, or in extreme cases, cause “serious physical harm or damage” to people and property.
The IOActive’s researchers tested various robots during a six-month period, and found flaws in several machines from vendors including SoftBank Robotics, UBTECH Robotics, ROBOTIS, Universal Robots, Rethink Robotics and Asratec Corp.
Safety dangers of hacked industrial robots should be taken especially seriously as they are “more powerful and faster” than current business and home robots, says Lucas Apa, senior security consultant at IOActive and co-author of the paper. “This is why hacked industrial robots are typically more dangerous, especially when human safety features can be disabled by end-users,” he says. In future, he adds, business and industrial machines may also lead to attacks outside the industry.
Cyber attacks on industrial robots are becoming more common. For instance, the Stuxnet worm first emerged during the summer of 2010 and went on to attack and infiltrate more than 15 Iranian industrial sites, including the Natanz nuclear facility. It is believed that this attack was initiated by a random worker's USB drive.
Meanwhile, in December 2015, an unprecedented cyber attack on the Ukrainian power grid saw sophisticated hackers remotely take over a control centre that distributes power to the western region of the country. The hackers were able to control circuit breakers at a substation and take it offline. Thousands of residents lost power. Operators were unable to regain control as the cyber criminals had already changed security passwords, allowing them to take another 30 substations offline and two power distribution centres.
To deal with this growing threat, the researchers suggest some basic security precautions such as installing Secure Software Development Life Cycle, encryption, and security audits, as well as making vendors provide a factory restore to customers and securing the supply chain. It's also important to invest in cybersecurity education for all employees, not just for engineers and developers, add the researchers.
And it's crucial that vendors implement cybersecurity from an early stage, says IOActive’s chief technology officer and co-author of the paper, Cesar Cerrudo.
For their part, buyers should check for security features before buying a machine, he adds. “If robots have few or no security features then that’s not a good indication,” he says. Users also should be careful how they use robots, and consider the potential damage or impact if something goes wrong, he adds.
In the end of the day, a robot is just a computing device - and it should be designed to ward off hacking attacks, says Mike Just, a computer scientist at Heriot-Watt University. “It's important to push the manufacturers of all computing devices - including robots - to properly address cybersecurity before they release their products,” he says.
When used in critical areas, such as managing water supplies or nuclear reactors, computing devices have historically undergone more rigorous testing and evaluation than when they are sold directly to the public. But this practice must change, says Just, especially in light of the current rise of the Internet of Things, autonomous cars, and AI.