IOActive researchers say they have discovered nearly 50 critical security issues in industrial cobots, adding ‘they can end up seriously hurting a person.’
Researchers at IOActive report they have discovered over 50 security vulnerabilities in industrial collaborative robots, or cobots. These are machines that work with people in a variety of settings, and if compromised by a remote hacker, could possibly cause physical harm to them. They could also conceivably be programmed to spy on their surroundings and send data to a remote server, creating a new kind of industrial sabotage.
The researchers, Cesar Cerrudo and Lucas Apa, wrote in a blog post that the industrial cobots can be remotely tampered with to remove safety configurations that prevent them from operating outside of designated safety boundaries and that protocols are not in place. They began their research in February and published a paper today that complements it.
[ Related: 7 Ways to Secure Your Internet of Things ]
These industrial cobots are different than traditional robots where they are in a fixed place doing repetitive work,” Cerrudo said. “These new collaborative robots are smarter and can do a lot of different things. There the threat is different. Once they are hacked, they have a lot of people around them; you’re talking about really powerful robots that can lift a lot of weight. It’s very possible they can end up seriously hurting a person.”
Cobot vendors don’t protect against common problems
Cerrudo and Apa studied publicly available firmware and software and how the machines work, connect to local networks, other robots and their respective vendors including cloud-based update systems. They found numerous security issues.
“Most of the [vendors] did not protect against these common problems,” Apa said, “We found a range of vulnerabilities, such as insecure communication, authentication problems, cryptographic issues and more. Some of these vulnerabilities were very easy to exploit.”
The robots studied came from vendors such as Rethink Robotics Baxter/Sawyer and Universal Robots. The researchers said they immediately notified the companies of the security issues they discovered. Baxter/Sawyer was responsive and quickly issued multiple patches to fix the vulnerabilities, which ranged from insecure authentication, insecure transport in protocols, default configurations and usage of a known vulnerable research framework. Unfortunately, Universal Robots ignored the information and has not done anything to fix their vulnerabilities, which include authentication, memory corruption and insecure communication, according to the blog post.
Apa included this YouTube video, which demonstrates the attack, in the blog:
In all, said the blog post, the researchers contacted six principal vendors in this market, with four replying. Some said they would consider fixing the vulnerabilities, while others such as SoftBank Robotics said they could not, likely because of a compatibility issue or design problem. Others such as Ubitech Robotics of China just thanked the researchers for their notification.