An analysis of robots used in homes, businesses and industrial installations has revealed many of the same basic weaknesses that are common in IoT devices, raising questions about security implications for human safety.
The robotics industry has already seen significant growth in recent years and will only further accelerate. Robots are expected to serve in many roles, from assisting people in homes, stores and medical facilities, to manufacturing things in factories and even handling security and law enforcement tasks.
"When you think of robots as computers with arms, legs, or wheels, they become kinetic IoT devices that, if hacked, can pose new serious threats we have never encountered before," researchers from cybersecurity consultancy firm IOActive said in a new report.
"As human-robot interactions improve and evolve, new attack vectors emerge and threat scenarios expand," the researchers said. "Mechanical extremities, peripheral devices, and human trust expand the area where cybersecurity issues could be exploited to cause harm, destroy property, or even kill."
The research, performed by IOActive CTO Cesar Cerrudo and Senior Security Consultant Lucas Apa, involved analyzing the mobile applications, operating systems, firmware images and other software used in home, business and industrial robots from multiple vendors.
The robots for which software components were tested included: the NAO and Pepper robots from SoftBank Robotics, the Alpha 1S and Alpha 2 robots from UBTECH Robotics, the ROBOTIS OP2 and THORMANG3 robots from ROBOTIS, the UR3, UR5 and UR10 robots from Universal Robots, the Baxter and Sawyer robots from Rethink Robotics and several robots using the V-Sido robot control technology from a company called Asratec.
The researchers found that most robots used insecure communications, had authentication issues, were missing authorization schemes, used weak cryptography, exposed private information, came with weak configurations by default and were built using vulnerable open source frameworks and libraries.
While not all of the robots had all of these problems, each robot had several of them, the researchers said in their report. This led them to conclude that other robots that were not included in the assessment likely have many of the same issues.
Some robots can be controlled from mobile apps or can be programmed with software installed on computers. Other robots communicate with cloud-based services to receive software updates and applications.
If the communication channels between these various components are not secure and encrypted, attackers can potentially launch man-in-the-middle attacks and inject malicious commands or software updates to be executed on the robots.
Furthermore, many of the tested robot firmware and operating systems had remotely accessible services that provided access to different functions. Accessing some of these services did not require any authentication. Some services required authentication, but used weak mechanisms that could be easily bypassed.
Sign up for CIO Asia eNewsletters.