When people think of robots, they often imagine anthropomorphic metal figures from sci-fi movies, or industrial automatons on gigantic assembly lines. Few contemplate the fact that robots have long been fully among us. They wash our cars, deliver parcels, sort goods in warehouses, administer pills to patients, ring church bells — and the list only grows longer and longer. Essentially, these are cyberphysical devices on the internet of things (IoT).
This raises a valid question: if so many organizations are already using robots, who’s in charge of their security? Our colleagues studied the implications of the increasingly widespread adoption of automation and robots, asking more than 4500 representatives of various organizations what they think about this. It turned out that 44% of respondents consider the level of robot security in organizations to be quite high, while 40% hold the opposite view. A cursory online search shows that the latter group are more likely to be right. Security experts have long been trying to draw attention to the issues of protecting robots: they’ve investigated many machines in recent years and found them to be vulnerable. Here are just a few that caught their eye.
Back in 2017, at the Black Hat conference, researchers Billy Rios and Jonathan Butts demonstrated how to hack an automatic car wash and what threat this poses to humans. They studied a PDQ LaserWash automatic car wash system, which can be connected to the internet, and found a way to hijack it. They even showed that it’s possible to slam the bay door into a car, which could endanger not only the vehicle, but also the driver. At the time of initial posting, the vulnerability still wasn’t closed.
Autonomous mobile robots
In the spring of 2022, researchers from Cynerio studied Aethon autonomous mobile robots used in hospitals to transport goods, materials, and clinical supplies. The hackers found vulnerabilities in the control servers and easily took over the robots — which, in their turn, had access to restricted areas in hospitals and could operate service elevators, not to mention the possibilities for spying. The researchers presented some perfectly realistic attack scenarios using the holes they discovered, from stealing medication to sabotage by ramming objects or delaying delivery of critical drugs. In this case the vendor closed the vulnerabilities before the report was published.
In 2018, experts from IOActive showed how an NAO robot – a humanoid robot manufactured by SoftBank Robotics – can be attacked. One could think at first that an NAO robot is little more than a toy. However, various organizations use the robots for teaching children, and some have even tried to find a business application for it as… a customer communications manager! By modifying the robot’s system files, the researchers were able to steal information from its memory, as well as make it use foul language and show pornography when given access to a screen. What at first glance might seem like a harmless prank would have grave consequences for the owners when the lawsuits from angry parents and business customers start piling up. The researchers also managed to infect the robot with ransomware and have it demand a ransom. In this case – as in the first, above – the developers were reportedly in no hurry to close the vulnerabilities.
Fortunately, not everyone is turning a blind eye to robot security: more than half (51%) of our survey respondents believe that robots are vulnerable to hacking. You can read the main findings of the study by downloading the following PDF: