AI & robotics severely lacking in cyber protection, new research finds
There are gaping vulnerabilities in business, industrial and home robots, many of which are high or critical risk and wide open to cyber attacks, a new research paper from IOActive has found.
The research, titled “Hacking Robots Before Skynet,” found 50 cybersecurity vulnerabilities across all devices. Those vulnerabilities include everything from insecure communications, authentication issues, weak cryptography, memory corruptions and privacy problems - all across what the company calls a ‘huge attack surface'.
Attackers can use those issues to become an insider threat. They could maliciously spy using the device's microphone and camera, leak personal business data, host malware, or cause severe harm to people and property.
The research also states that because researchers use the same or similar tools and practices worldwide, no additional cybersecurity protection is added. Prototypes and research are also left open to attack.
The research also cites a 2009 study from the University of Washington, which found that robots did not protect security and privacy. Since then, nothing has changed, the authors state.
Cesar Cerrundo, IOActive's CTO and co-author of the research, says AI and robots will become the new norm across the industrial, business and consumer space.
“Given this proliferation, focusing on cybersecurity is vital in ensuring these robots are safe and don't present serious cyber or physical threats to the people and organizations they're intended to serve,” he says.
For the study, researchers tested mobile applications, firmware images and software across on robots across vendors such as Asratech Corp, Rethink Robotics, ROBOTIS, SoftBank Robotics, UBTECH Robotics and Universal Robots.
“We have already begun to see incidents involving malfunctioning robots doing serious damage to their surroundings, from simple property damage to loss of human life, and the situation will only worsen as the industry evolves and robot adoption continues to grow,” Cerrudo says.
The research paper also looks at security precautions that vendors should take, including authentication authorisation, Secure Software Development Life Cycle (SSDLC) encryption, security audits, vulnerability disclosure, education, securing the supply chain, factory restore and others.
“Vendors need to start focusing more on security when speeding the latest innovative robot technologies to market or the issue of malfunctioning robots will certainly be exasperated when malicious actors begin exploiting common security vulnerabilities to add intent to malfunction,” Cerrudo concludes.
IOActive operates globally, with a regional hub in Hong Kong.