jim - stock.adobe.com
The alert comes six months after the company warned that the most popular industrial and domestic robot brands have vulnerabilities that could by exploited by cyber attackers.
The first warning was based on research that found that because many robots use multicast DNS to advertise their presence on the network, it is relatively easy to find a robot’s host name.
Also, because some robot services do not require authentication, any user on the network can issue commands to perform actions or disable safety features.
The latest warning follows a successful proof-of-concept ransomware attack on the Nao and Pepper robots by IOActive researchers Cesar Cerrudo and Lucas Apa.
The attack method is detailed in a blog post entitled Robots want bitcoins too that was published to coincide with a live demonstration of the attack by Apa during a presentation on the dangers of robot to human safety at the 2018 Kaspersky Security Analyst Summit in Cancun, Mexico.
The extent of the threat is underlined by the fact that SoftBank Robotics has sold more than 30,000 of these humanoid robots worldwide to date, and according to IDC, robotics spending is expected to reach $231bn by 2021.
Many industries rely on robots, including industrial manufacturing, automotive, retail and restaurants to expedite processes usually handled by humans.
According to Cerrudo and Apa, if robot vulnerabilities are exploited to upload ransomware, a business could lose access to data, robot production could shut down, and businesses could wait weeks for costly robots to be repaired.
“It is no secret that ransomware attacks have become a preferred method for cyber criminals to get monetary profit by encrypting victim information and requiring a ransom to get the information back,” said Lucas Apa, senior security consultant at IOActive.
“Knowing that, we decided to conduct a proof-of-concept ransomware attack on the Nao robot, leveraging vulnerabilities we uncovered in our prior research in 2017.”
The attack is based on the assumption that business owners are more likely to pay ransom than wait weeks to return targeted robots to operational status. “Every second a robot is non-operational, businesses and factories are losing lots of money,” said Apa.
This new research on robotic ransomware builds on the original research that Apa conducted with Cerrudo, CTO at IOActive, in 2017, during which they discovered almost 50 vulnerabilities in robots from various robot technology suppliers.
As outlined in the original research, Hacking robots before Skynet and Hacking robots before Skynet – technical appendix, attackers could manipulate the flaws found in these robots to spy via the robot’s microphone and camera, leak data, or cause serious physical harm.
Cerrudo and Apa then took the research a step further, creating and uploading ransomware to the Nao robot model, which has the same operating system as the SoftBank Pepper model.
By injecting custom code into any behaviour file classes, they altered the robot behaviours to be malicious. Possible malicious behaviour in an infected robot includes complete interruptions in service, pornographic content on the robot display, the use of curse words, even doing violent movements.
The infected robot could also be an entryway into other internal networks at a business, offering backdoor access to hackers and an entry point for layer penetration to steal sensitive data.
“Even though our proof-of-concept ransomware impacted SoftBank’s Nao and Pepper robots, the same attack could be possible on almost any vulnerable robot,” said Apa.
“Robot vendors should improve security as well as the restore and update mechanisms of their robots to minimise the ransomware threat. If robot vendors don’t act quickly, ransomware attacks on robots could cripple businesses worldwide.”
IOActive informed SoftBank of the findings through responsible disclosure in January 2017 and is not aware of any fix available at time of writing, more than a year later.