Researchers: Robots Vulnerable to Ransomware
March 09, 2018      

Robotics developers already concerned about security vulnerabilities have another thing to worry about — robot ransomware.

Researchers from IOActive today showed a proof-of-concept ransomware attack on two popular service robots — Pepper and NAO — from SoftBank Robotics. They demonstrated the attack at the 2018 Kaspersky Security Analyst Summit in Cancun, Mexico.

IOActive’s Lucas Apa showed that he could take control of a robot and inject malicious code into its behavior modules via a public Wi-Fi network. After taking control of the robot within seconds, a hacker could then make it curse at someone or demand money — similar to how ransomware can hold a computer system or other network-connected device hostage.

Apa and Cerrudo spoke with Robotics Business Review about their demonstration, and what they hope the industry will do in order to make robots more secure from these types of attacks.

Lucas Apa IOActive security researcher

Lucas Apa, senior security consultant at IOActive, demonstrated a ransomware proof-of-concept attack against a service robot.

“With our research, we want the companies to have awareness of the possible threats,” Apa said, “and to start implementing security at an early stage — because otherwise, it gets too expensive to fix these problems.”

In the blog post highlighting their proof of concept, Apa and Cerrudo noted that many robots don’t have an easy to fix themselves when there is a software malfunction.

“Ironically, during our research, our robot started to malfunction,” Apa and Cerrudo said in the post. Sending the robot back to the U.S. and dealing with shipping costs and customs handling proved to be expensive, Apa said. Most companies likely won’t want to have customers sending back robots if they were to suffer a ransomware attack, he added.

IOActive CTO Cesar Cerrudo

The robot ransomware demonstration was created from earlier research that Apa and Cerrudo created in 2017, when they discovered almost 50 vulnerabilities in 13 different robots, which included flaws that could let hackers spy on people via a robot’s microphone and camera. These flaws could also allow someone to make an industrial robot cause physical harm.

Robot ransomware examples

In the ransomware example, potential attacks could include service interruptions, using offensive speech, or even displaying pornographic content on the robot’s display.

IOActive said that an infected robot could also be used as an entry point for access to other devices within an internal network, which would let hackers steal more valuable data from a company.

Downside of open development

Apa said it wasn’t that difficult to create robot ransomware, mainly because the firmware images for a lot of these robots are freely available on the internet.

In addition, an attacker wouldn’t need to have physical access to the robot to test their attack, since many of these robotics companies provide developers with emulators and simulators for the robots.

“You don’t need a robot for testing,” Apa said.

John Santagate, research director for service robotics at IDC, said the attack highlights the importance of security on both the edge of the network as well as within the robots themselves.

“I don’t think this revelation is anything earth-shattering; I think what it does is simply drive home the need for makers of robots to think about how they keep their devices secured from network-related threats,” Santagate said. “These devices are connected to the Internet, and just like any network-connected piece of equipment, if it is not adequately secured there are security risks.”

Protecting against robot ransomware

The IOActive researchers acknowledged that there have not yet been any incidents where a social robot provider was held liable for bad behavior. They emphasized the importance of educating developers, building in security safeguards, and choosing operating systems and networking tools carefully.

SoftBank Robotics provided a statement regarding the proof-of-concept attack: “We ask customers to maintain their Wi-Fi network’s security when using Pepper, and also correctly set the robot’s passwords. We will continue to improve our security measures on Pepper, so we can counter any future risks.”

Apa and Cerrudo said they are also creating a group within the Cloud Security Alliance’s Internet of Things working group to specifically address robotics security for any interested technologists or businesses.