Clash of Titans: Robot Makers vs. Robot Hackers
Specializing in Asia by Covering the Globe Boston | Bangkok | Beijing | Bombay
“The bad actors are progressively getting better organized, smarter and better built for success.” —Insurance Thought Leadership
IOActive experts told Information Security about “numerous security vulnerabilities in modern robotics systems which could render them susceptible to life-threatening cyber-attacks.”
Cerrudo and his fellow expert, Lucas Apa, claim to have uncovered 50 bugs in machines built by six of the biggest robotics manufacturers. When it comes to major manufacturers of industrial robots, six is a huge number, which hints at the possibility that the entire industry was unaware and caught off guard by cyber threats to their products.
A major concern for Cerrudo and Apa is what they call the “huge attack surface presented by a modern robotics system, including OS, firmware, software, remote control apps, cloud services, network and the physical unit itself.”
That’s just about everything.
A few of the standouts on their “bad list”: “Data communications sent in cleartext; no, or easy-to-bypass, authentication; insufficient authorization to protect key functionality; weak cryptography; weak default configurations; weak open source frameworks and libraries and on-consensual sharing of personal data.”
What the bad guys could do
The 17-page Hacking Robots Before Skynet claims that hackers could exploit any item on the “bad list” “to spy on users via in-built mics/cameras; use the robot as a stepping stone into the corporate network or the owner’s cloud accounts or even change its behavior in malicious ways.
“Rival firms or cyber-criminals looking to extort victim organizations could subvert the operation of bots, for example, and if the robot has access to customer information, that could also be at risk.”
Apa told ZDNet that he’s worried that “robot manufactures appear to be repeating the same cybersecurity mistakes as Internet of Things vendors.”
"It's the same story over and over again,” warned Apa, “after this report some vendors will start to worry about security, but many will continue working in the same way without taking care of security."
The report concludes: “Our results show how insecure and susceptible current robot technology is to cyberattacks, confirming our initial suspicions. Furthermore, many other vendors and robots could be vulnerable to the same issues we discovered, scaling the potential for havoc to much higher and broader levels.”
Although IOActive contacted all of the robotics manufacturers mentioned in the report about the dire findings, it also wanted to see a broader dissemination of the report so “the wider public will grow more aware of the issue.”
Hence, Hacking Robots Before Skynet made available to one and all as a PDF download.
On insurers and hackers
So then, is it possible for a line of hard-working cobots tending CNC milling machines to suddenly go berserk and start tossing stuff around like an Animal House food fight? Yes, seems to be the wider answer from the IOActive report.
What then about liabilities, damages, interrupted production schedules, and myriad other possibilities that will fall to insurers of robots to underwrite?
“Cyber cover is one of the fastest-growing parts of the insurance world, as a stream of attacks on companies raises the profile of what was once a niche product.
“About $2 billion was spent on cyber insurance worldwide in 2015 — but Allianz thinks that figure could be 10 times larger by 2025.”
With robots, writes Toby Redshaw at Insurance Thought Leadership, "the criminal cash flow is a little harder to predict, but IP-connected robots is a space that will grow exponentially over the next decade and be at key points in manufacturing, military and medical process flows. What is the ransom for holding a bottling plant hostage?"
Hostage bottling plants, rowdy cobots, and unconcern over robot vulnerabilities, are alarm bells quickly coming of age in this time of rude awakening. A new industry of cyber hardening of robots is on the rise; insurers will probably balk at insuring non-hardened robots; and the automation juggernaut of the Fourth Industrial Revolution has gained an adversary.
Lots of smart people building robots and robot software will be working double time to protect the globe’s 1.8 million robots. Lots of smart people gathering together in clandestine groups on the Dark Web will be working to make lots of money by causing havoc.
As Redshaw concludes: “This is a target-rich environment that is growing faster than almost anyone anticipated. The bad actors are progressively getting better organized, smarter and better built for “success.” Interpol, the FBI and other law enforcement agencies do great work, but a lot of it is after-the-fact.
“Enterprises need new approaches to network-centric compartmentalized security. New thinking about upstream behavioral preventative design is needed for robustly secure IoT plays.”
It’s all shaping up to be nothing short of a clash of titans, who may all wear hoodies like Mr. Robot and be eminently capable of either preserving or taking down a nation’s entire robot workforce.
Who has the early advantage, how should industry respond, and how best to cyber-harden a robot?
The BIG wake-up call arrives
The newest game in town for robots is defending themselves from hacking and cybercrime, so say the Financial Times, Forbes, ZD Net, and Information Security, all out with scary articles on the matter this week.
All of the articles base their information on work conducted by the well-known and respected IOActive Labs, which bills itself as a global leader in cybersecurity consultancy.
IOActive researchers spent “six months testing mobile applications, robot operating systems, firmware images, and other software in order to identify the flaws in the robots.”
The end result of that effort was the production of a 17-page report: Hacking Robots Before Skynet.
What we are seeing here is an identical snapshot in time that harkens directly back to the Millennium, when computers first got rocked by global viruses that knocked out millions of computers and caused billions of dollars in damages.
Now it’s the robots turn. Robots, as were computers in 2000, are totally vulnerable. They are easy to hack.
And as with computers some 17 years back, robots are going to be the drivers in the launch of a new industry for robot security as well as security for every connected device in the Industrial Internet of Things (IIoT).
That’s a tall order
Macquarie Research reckons that the installed base of industrial robots is ~1.8 million units (about equal to the population of Philadelphia).
Cesar Cerrudo, IOActive's chief technology officer and co-author of Hacking Robots Before Skynet, is concerned that robots are hooked up to the Internet with little or no thought about cybersecurity. Putting data behind such a claim was one of the principle objectives of the IOActive report.
The opening chapter of his report dives right to the issues at hand: Cybersecurity Problems in Today’s Robots. The chapter covers:
Weak Default Configuration
Vulnerable Open Source Robot Frameworks and Libraries
It’s an eye-opening, quick read that should be required for anyone who owns or operates an expensive robot working around other expensive machines all the while knocking out expensive products. It’s like dominoes waiting to happen.
The seven security challenges from the above list are a starting point for anyone operating even a single industrial robot that is connected in any way to the Internet.
Getting an insurer to underwrite industrial robots may well become near-impossible without the robot being hardened to cyber hacking.
Plus, from what we’ve learned from the past, cyber-hardened robots are just a logical next step. It’s the future of robots, just as it was the future of computers a decade or so back.
Which will it be?
“Those who cannot remember the past are condemned to repeat it."
“I've got news for Mr. Santayana: we're doomed to repeat the past no matter what. That's what it is to be alive.” ― Kurt Vonnegut
Lesson for robotics: hacking’s backstory
Filipino college student, Onel de Guzman, created the now-infamous ILOVEYOU computer virus in his Manilla apartment in 2000. Disguised as a love letter and sent via email, the virus infected 45 million computers worldwide, causing $8.7 billion in damages while costing another $15 billion to remove.
Of course, ILOVEYOU was not the first computer virus. The first actually dates back to 1971 with the Creeper Virus that spread using the Advanced Research Projects Agency Network (ARPANET). Yes, ARPANET!
The distinction that the ILOVEYOU virus carries is that it is what prompted the rise of today’s anti-virus industry. According to Cybersecurity Ventures, by 2004 the anti-virus industry was about $4 billion; in 2017, it’s expected to be $120 billion.
That’s a 35x increase in 13 years. Market Research claims that it will be $170 billion in 2020. And a Gartner forecast for 2016 put the tab at about $81 billion. As you can see from the above, no one really knows for sure what the costs are or will be. Real data is hard to come by, so all sorts of numbers are flying around. What is known is that the number is very large and that the defensive spend is growing exponentially.
The hacked are silent
Case in point about the lack of information on cybercrime: It was only March 1, 2017 that Yahoo! finally admitted that around 32 million user accounts were accessed by “hackers in the last two years using a sophisticated cookie-forging attack without any password.” It took two years to get that answer from Yahoo!
Many times the hacked are silent so as not to let on that they are unable to defend themselves...and ashamed to admit that they were brought to their knees by cyber hooligans.