This week at the Hack in the Box security conference in Singapore, Argentinian security researchers Lucas Apa and Cesar Cerrudo will demonstrate hacker attacks they developed against three popular robots: the humanoid domestic robots Alpha2 and NAO, and another larger, industrial-focused robotic arm sold by Universal Robots.
The two researchers plan is to show how to hack the machines by either changing critical safety setting or, as it is the plan for the smaller bots, send them commands they wish and make them into surveillance devices that are able to send audio and video to a remote spy.
Cesar Cerrudo, who is the chief technology officer of IOActive, where both of the researchers work, said that because the robots can move, hear and see, they will soon become a tempting target for hackers and spies who previously concentrated on computers and smartphones. But the robots pose a bigger threat once hacked into.
If we’re talking about the actual danger, out of the three robots that they hacked is Universal Robots’ collaborative robots, since they work alongside humans in the industrial setting and have the ability to extend their multi-jointed arms four feet out and lift up to 22 pounds heavy burden. The robot’s software has no real authentication, the researchers have discovered, instead only having easy-to-crack integrity checks which are supposed to prevent a hacker from installing malicious updates. The researchers used a common security vulnerability called a buffer overflow to get access to the robot’s operating system and gain control over the robot’s movements.
Apa said that this vulnerability can cause damage to robot itself as well as human working next to the robot, with enough force to fracture bones. He stated that consequences of this type of robots being hacked could end up being catastrophic.
The two other robots are meant for entertainment, education and similar uses. The way the researchers hacked into these was by installing a software, gaining complete control over the devices.
By looking into these devices’ systems, the researchers found similar vulnerabilities – both of them had a Google’s Android operating system that doesn’t use code-signing and did not encrypt their connections, which made it easy for them to inject a malicious app.
With these devices, privacy is what is the main concern. These domestic robots have both a camera and a microphone which could be easily used to spy on their targets, even being able to move the device around the residence.
This isn’t the researchers’ first study in the robot hacking possibilities. In March this year, they published a security analysis of robots and the demonstrations are the expansions on the stated subject. That earlier study found more than 50 hackable security vulnerabilities in robots and robotics software sold by companies that also included Rethink Robots, Robotis, and Arsatec.