Researchers led by the National University of Singapore recently demonstrated that household robot vacuum cleaners could be hacked to act as listening devices that spy on their unsuspecting owners. But what are the risks for industrial robots? Can they be hacked?
Hackers have exploited Lidar technology, the same used in the latest iPhone, to turn a household vacuum cleaner into a spying device. If that is not sinister enough, in another experimental stunt designed to demonstrate the vulnerabilities in an increasingly connected world, a friendly-looking humanoid robot was hacked to act like Chucky from the horror films Child’s Play. A video showed the robot attacking a tomato while emitting an evil laugh.
The idea of having household robots hacked is scary because they are, quite literally, so close to home. Yet while the Chucky hacking sounds sinister, the robot in question is far too small to cause direct physical harm.
That is not the case for most industrial robots, where the consequences of hacking could be greater. These robots have been designed and manufactured with safety in mind, but if a hacker were able to override the safety protocols then these robots, unlike the household humanoid in the example above, would have the potential to cause serious harm to workers in the factories that use them.
That is not the only threat. Industrial robots could be hacked to steal trade secrets or other commercially sensitive data. A hack where the perpetrator physically takes control of the robot at least has the benefit of being identified by the victim. Another threat is the possibility of hackers making much smaller, subtler adjustments to the commands or parameters of a robot. The change would not be visible to the naked eye but could render an entire product line defective through the insertion of microdefects.
Whether it is smart phone manufacturing, car-making or the food and beverage sector, factories around the world are already equipped with robots and other automated technologies. So how much of a threat is the possibility of these robots being hacked and what can manufacturers do about it?
Assessing the threat
For industrial robots, the priority has always been making sure the robots are safe to operate around humans. Until recently cyber safety has, perhaps, received less attention. Yet many of the same basic techniques that researchers have used to expose the vulnerabilities in consumer robotics have proved just as effective in an industrial setting.
Typically, hackers use scanners to survey Internet of Things (IoT) devices for weaknesses and vulnerabilities. This might be usernames and passwords unchanged from the factory defaults, or glitches in the software that can be discovered through reverse engineering. It is less the robots themselves, but the growing reliance on connectivity and IoT devices, that increases the vulnerability.
Having hacked a small humanoid to act like a devious toy doll, researchers from the cybersecurity firm IOActive pulled off similar feats with industrial robots. They were able to hack an industrial robot arm made by Universal Robotics, overriding the safety protocols of the machine.
In another prominent example, Trend Micro discovered flaws in software produced by ABB. The Rogue Automation report details how researchers encountered an Appstore created by ABB and by downloading and reverse engineering the apps, they were able to pinpoint a vulnerability. This allowed them to exfiltrate sensitive data. ABB has since fixed the issue.
Open source software is a double-edged sword. On the one hand it allows an army of well-intentioned computer boffins to spot and resolve any potential vulnerabilities or glitches. On the other hand, it means those with less benign intentions can exploit those same vulnerabilities, if they get there first.
To demonstrate this, the researchers used their scanner to search for flaws in the popular open source software Robot Operating System Industrial (Ros-I), which was adapted for ABB by Kuka. They found flaws in the software component for Kuka and ABB robots that could have allowed hackers to interfere with the movements of the robots. Users can rest assured that this vulnerability no longer exists.
Preparing for the future
Results like these are worrying and manufacturers and regulatory authorities will need to change their approach. In future, cybersecurity will require more focus, as more and more devices are connected to the internet.
In the meantime, sensible manufacturers can continue to exploit the benefits of automation while ensuring they observe the basics of cyber health. This means downloading and installing the latest software and patches, as well as educating staff on cyber security.
In many examples of hackers taking over robots – such as the Chucky example at the beginning of this article – the hackers need access to your local network or at least the ability to tamper with it. Securing that will be key and in some instances it is simply a case of updating the passwords and usernames from the factory default settings.
It may be the case that newer devices are more vulnerable. Robots or other automated devices that have been tried and tested are more likely to have had their security flaws discovered and resolved, such as in the example from Kuka and ABB above. The risk with these machines is that their components become obsolete, but partnering with a reliable automation parts supplier will allow manufacturers to continue relying upon the tech they trust, whether that is new or obsolete equipment.
By: John Young, EU Automation