Following the news that IOActive released a report exposing numerous vulnerabilities found in multiple home, business and industrial robots on the market today. IT security experts from Synopsys, Synack and prpl Foundation commented below.
Mike Ahmadi, Global Director – Critical Systems Security at Synopsys:
“The consequential damage of a hacked robot, or any hacked system, is directly commensurate with the amount of trust put into the system. This becomes extremely problematical as technology improves, and we become more reliant and more trusting of the systems. Once external connectivity is introduced, industrial robots become potential security time bombs, wherein any system where vulnerabilities are not constantly audited and managed eventually becomes easier to compromise over time, as the number of vulnerabilities climbs. The amount of damage that can be done is fully dependent on the capabilities of the robot, and simply hacking a robot to operate slightly out of a specified configuration mode can lead to everything from minor damage to death.”
Adam Brown, Manager, Security Solutions atSynopsys:
“Confidentiality breaches could mean intellectual property could be leaked. As the report states, microphones and cameras could be breached allowing sensitive conversations or views outside of the perimeter. Furthermore, input from sensors could reveal accurate measurements of potentially secret methods applied in manufacture.
“Integrity issues could mean that malicious actors could have introduced quality defects into a production line, enabling competitors or vandals to affect manufacturing processes just enough to cause reliability or safety problems in finished products.
“Availability issues could cease the manufacturing process or cause delays at critical points in time.
“Like with all information systems, vendors should apply software security to their development lifecycle for any internally created applications, and should invest in a software supply chain process for externally procured applications, libraries and software.
“Operators can scan the firmware that run these robots, in effect creating a software supply chain process themselves to keep vendors in check. It has long been known that vendors of all types of devices, not just robots supply products with vulnerabilities. The challenge is not so much detecting vulnerabilities but getting vendors to remediate them.”
“The consequences of a hacked robot depend upon its functionality. Let’s think about a car factory…If the robot is in charge of putting wheels on a car, an adversary could plant malware to alter the lug nuts installation tightness such that the wheels fall off at high rates of speed. We need to use our imagination on the worst case scenarios here when it comes to industrial robotics.
“This is definitely a real-world problem. These systems are built with the same technology that we’ve found vulnerable in other use cases, and it really is only as secure as developed. See above example for what kind of damage could be done…but we can get really creative here when it comes to industrial robots.
“In the age of the Internet of Things, there is a huge amount of change and flux in an IT environment. There are constantly new devices and SaaS apps being added to the network, creating a rise of traffic in and out of an organisation’s perimeters. The robot vendors, like any other software vendor, need to perform security assessments regularly and as systems are being developed. Secure development lifecycles apply to any system, and robotics manufacturers need to be aware of the avenues of attack on these systems by a determined adversary.
“In general, the networks for command and control of the robots need to be isolated and air-gapped from the rest of the corporate network. The update paths to the robot, including the supply chain, need to be verified as secure so we can protect these systems from malware or remote command injections.”
“Robots present a great opportunity to automate tasks and make human life more efficient, but equally can present a grave danger to the public if internal security controls are not properly addressed at the development stages. We see it time and again in the consumer market where really fantastic products that “work” are rushed to market and later we find out that security is nonexistent and at worst privacy may be affected due to data leakage. But when we apply this same rushed logic to the robotics industry, it could quite literally be lives on the line. Security has to be core to the development of these types of robotic devices and if they’re not secure, then they have no business being integrated with human lives.”
ISBuzz Team embodies the collaborative efforts of the dedicated staff at Information Security Buzz, converging a wide range of skills and viewpoints to present a unified, engaging voice in the information security realm. This entity isn't tied to a single individual; instead, it's a dynamic embodiment of a team diligently working behind the scenes to keep you updated and secure. When you read a post from ISBuzz Team, you're receiving the most relevant and actionable insights, curated and crafted by professionals tuned in to the pulse of the cybersecurity world. ISBuzz Team - your reliable compass in the fast-evolving landscape of information security
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.