"This is one of the most critical problems we found, allowing anyone to remotely and easily hack the robots," the researchers said in their report.
Some robots did not encrypt stored passwords, cryptographic keys, credentials for third party services and other sensitive data. Others attempted to protect data with encryption, but with encryption schemes that were improperly implemented.
Many of the accompanying mobile apps were found to send sensitive information like network, device and GPS details to remote services without user consent and some robots' default configurations included insecure features that could not be easily disabled or default passwords that could not be changed.
Some of the authentication, authorization and insecure communication issues were the result of vulnerabilities in open-source software frameworks, libraries and operating systems shared by robot developers. One such case is the Robot Operating System (ROS), a popular OS used in several robots from multiple vendors, the IOActive researchers said.
The researchers believe that another problem is that in many cases robots make the jump from prototype to commercial product too fast, without any cybersecurity audits and additional protections being built in.
Many of the implications of a hacked robot are similar to those of a hacked IoT device or computer: spying through microphones or cameras, providing a foothold inside internal networks to launch other attacks, exposure of personal data and stored credentials for third-party services. However, due to their kinetic abilities, robots pose other dangers as well.
Inside homes, hacked robots could be used to damage objects and hurt people through sudden movements. They could potentially start fires, unlock doors, deactivate home alarms and more. The same problems could arise from hacked robots in a business environment.
Industrial robots are even more dangerous because they're larger and more powerful than other types of robots. They could easily kill a person and there have been accidents where people have died because industrial robots malfunctioned.
"Many of the cybersecurity issues our research revealed could have been prevented by implementing well-known cybersecurity practices," the IOActive researchers said. "We found it possible to hack these robots in multiple ways, made a considerable effort to understand the threats, and took care in prioritizing the most critical of them for mitigation by the affected vendors. This knowledge enabled us to confirm our initial belief: it's time for all robot vendors to take immediate action in securing their technologies."
This research suggests that until now robot vendors have prioritized getting products out in the market over security. This has happened in other industries as well, like with the internet of things, which has become a big security mess.
If cybersecurity is not taken into consideration at the beginning of a product's lifecycle, fixing vulnerabilities after it's already released is more complex and expensive, the IOActive researchers said. "Fortunately, since robot adoption is not yet mainstream, there is still time to improve the technology and make it more secure."
Sign up for CIO Asia eNewsletters.