Despite the general nature of the report, industry specialists warn that if robot makers fail to take a security-first approach, it may haunt them.
“The desire for online commerce brought strong cryptographic algorithms into our daily lives,“ said Joe Britt, the chief executive of Afero, a Los Altos, Calif.-based maker of secure communications systems for the world of so-called embedded computing. “As embedded systems for sensors and robotics flourish in the next wave of computing, failure to apply these proven safeguards is like leaving the locks off of our doors.”
The research underscores the potential security challenges that await the world of mobile robots. Given the popularity of stationary home robotic systems like Amazon’s Echo and Google’s Home personal assistants as well as dozens of other internet-connected devices like doorbells, video cameras and even light bulbs, it appears that consumers are willing to trust that manufacturers are building adequate security into the products.
It is common for manufacturers that do not have good security practices to not know how to deal with vulnerability reports. Most of them probably do not have a procedure in place to handle reports and neither to provide security fixes to customers.
Robots are widely used in manufacturing. But they are largely systems like robot arms that do not have autonomous functions and cannot move around in the environment.
There is a growing consensus that during the next decade, advances in artificial intelligence will make it possible for robots to move freely in unstructured environments. This will bring self-driving cars closer to reality and will also lead to a generation of machines that will operate autonomously in homes, offices and factories.
The authors of the new report challenged the robotics industry, saying that not enough attention was being given to well-known security issues that have proved devastating for existing commercial computer networks.
“We call it an internet-of-things with arms and legs and wheels,” said Cesar Cerrudo, chief technology officer of IOActive. “The surface of attack is huge. Each robot has multiple ways it can be compromised.”
The researchers said that robot makers were rushing their products to market without giving adequate consideration to security.
“Vendors like to add features that please the public,” said Lucas Apa, a senior security consultant at IOActive and one of the authors of the report. “They forget about important issues. Robots can have microphones and cameras; they can walk and they can grab objects. People don’t realize the consequences of something that can grab an object or can hear or see you.”
The report identifies security flaws in a number of robots, including NAO and Pepper home robots made by SoftBank Robotics; and manufacturing robots from Universal Robots and Rethink Robotics, two makers of robot arms that are intended to collaborate with human workers in assembly line applications. It also identifies flaws in small humanoid robots made by UBTECH Robotics and Robotis, and in robotics software developed by Asratec Corp.
The report identifies seven different kinds of security issues, ranging from weak cryptographic systems and vulnerable default configurations to what security experts call authentication issues.
In some cases, they noted that it was possible to control some robot functions without authentication.
“We found key robot services that didn’t require a username and password, allowing anyone to remotely access those services,” the report said.
One of the robot manufacturers identified by the report disputed the findings. Two of the criticisms leveled by the researchers actually involved “features” added for research and education markets, according to Gil Haylon, a Rethink Robotics spokesman. He added that other vulnerabilities had been “phased out” in the latest software release for the company’s Baxter and Sawyer robots, which are intended for light assembly operations.
Universal Robots said it was looking into the issue raised by the researchers. The other companies did not immediately respond to requests for comment.