Story image

AI & robotics severely lacking in cyber protection, new research finds

02 Mar 17

There are gaping vulnerabilities in business, industrial and home robots, many of which are high or critical risk and wide open to cyber attacks, a new research paper from IOActive has found.

The research, titled “Hacking Robots Before Skynet,” found 50 cybersecurity vulnerabilities across all devices. Those vulnerabilities include everything from insecure communications, authentication issues, weak cryptography, memory corruptions and privacy problems - all across what the company calls a ‘huge attack surface’.

Attackers can use those issues to become an insider threat. They could maliciously spy using the device’s microphone and camera, leak personal business data, host malware, or cause severe harm to people and property.

The research also states that because researchers use the same or similar tools and practices worldwide, no additional cybersecurity protection is added. Prototypes and research are also left open to attack.

The research also cites a 2009 study from the University of Washington, which found that robots did not protect security and privacy. Since then, nothing has changed, the authors state.

Cesar Cerrundo, IOActive’s CTO and co-author of the research, says AI and robots will become the new norm across the industrial, business and consumer space.

“Given this proliferation, focusing on cybersecurity is vital in ensuring these robots are safe and don’t present serious cyber or physical threats to the people and organizations they’re intended to serve,” he says.

For the study, researchers tested mobile applications, firmware images and software across on robots across vendors such as Asratech Corp, Rethink Robotics, ROBOTIS, SoftBank Robotics, UBTECH Robotics and Universal Robots.

“We have already begun to see incidents involving malfunctioning robots doing serious damage to their surroundings, from simple property damage to loss of human life, and the situation will only worsen as the industry evolves and robot adoption continues to grow,” Cerrudo says.

The research paper also looks at security precautions that vendors should take, including authentication authorisation, Secure Software Development Life Cycle (SSDLC) encryption, security audits, vulnerability disclosure, education, securing the supply chain, factory restore and others.

“Vendors need to start focusing more on security when speeding the latest innovative robot technologies to market or the issue of malfunctioning robots will certainly be exasperated when malicious actors begin exploiting common security vulnerabilities to add intent to malfunction,” Cerrudo concludes.

IOActive operates globally, with a regional hub in Hong Kong.

How to stay safe when shopping online
Online shopping is a great way to avoid the crowds – but there are risks.
Dell EMC embeds security in latest servers
Dell EMC's 14th generation of PowerEdge servers has comprehensive management tools to provide security across hardware and firmware.
Why data backups should be a part of daily operations
"Disaster recovery needs to address complete system failure and provide a set of security policies to govern disaster incidents."
Businesses focusing on threats from within - survey
Over 50% of respondents reported that 100 days of dwell time or more was representative of their organisation.
Corelight and Exabeam partner to improve network monitoring
The combination of lateral movement and siloed usage of point security products leaves many security teams vulnerable to compromise.
SailPoint releases first identity annual report
SailPoint’s research found that many organisations are lacking maturity in their governance processes over identities.
Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.