Security researchers have discovered that a number of popular industrial and home robots can be easily compromised to spy on humans and even remotely control the bots to attack their owners. According to a new report by cybersecurity firm IOActive, the researchers demonstrated how collaborative robots (cobots) from multiple vendors, contain vulnerabilities that could allow hackers to potentially spy on users, disable safety settings, violate applicable safety laws and even control them to cause physical harm to users and their surroundings.
The Seattle-based security firm discovered several flaws in consumer and industrial bots sold by a number of manufacturers. The researchers also demonstrated how the machines could be turned into surveillance devices, record and transmit video and audio of users back to the hackers, and remotely control them to cause physical harm.
"A hacked robot can act as an insider threat in organisations, industries or homes," Lucas Apa and Cesar Cerrudo from IOActive wrote in a technical paper titled "Hacking Robots before Skynet". "Their capabilities can be subverted and used for multiple purposes by outsiders that exploit remote vulnerabilities".
The researchers studied machines from a number of vendors including bots from Denmark's Universal Robots, China's UBTech Robotics, SoftBank, Japan's Asratec, South Korea's Robotis and Rethink Robotics.
The IOActive researchers said they were able to "easily" remotely compromise industrial robot arms by Universal Robotics that are designed to work alongside humans. The researchers were able to hack the software that controls these arms and disable their key safety features.
Speaking to Bloomberg, they warned that Universal Robotics' creations are large and powerful enough that "even running at low speeds, their force is more than sufficient to cause a skull fracture".
In one video (embedded below), the researchers showed how UBTech's Alpha 2 robot could be hacked to turn into a screwdriver-wielding machine to repeatedly stab a tomato.
The researchers also said Alpha 1S, the robot's Android app, does not verify a cryptographic signature when downloading an update, potentially allowing for a malicious actor to carry out a "man-in-the-middle" attack and drop malware to infect the device.
"This attack serves as an example of how dangerous these systems can be if they are hacked," Apa wrote in a blog post. "Imagine what could happen if an attack targeted an array of 64 cobots as is found in a Chinese industrial corporation."
Regarding SoftBank's Pepper and NAO, the researchers said the Naopqi software did not perform an authorisation check while operating. Potential attackers could compromise the devices using a piece of code that allows them to record video and audio using the robots' front cameras (as seen in the video embedded below).
IOActive said it has informed the companies of the vulnerabilities, however, they said "there's little to suggest that the 50-plus vulnerabilities we demonstrated have been fixed".
UBTech's North America general manager John Rhee told Engadget in a statement: "UBTech has been made aware of a sensationalistic video produced by IOActive featuring the Alpha 2. The video is an exaggerated depiction of Alpha 2's open-source platform. UBTech encourages its developer community to code responsibly and discourages inappropriate robot behaviour."
He added that the company is committed to "maintaining the highest security standards in all of it's products", has conducted an investigation into IOActive's claims and "fully addressed" any concerns raised by the researchers that "do not limit our developers from programming their Alpha 2".
Asratec told Reuters that the software released thus far is limited to "hobby use sample programs". The company said it believed the researchers were referring to vulnerabilities in that software, noting that the software to be released for the commercial user would be different.
SoftBank Robots said it has already identified the vulnerabilities and fixed them, while UBTech said it has "fully addressed any concerns raised by IOActive that do not limit our developers from programming" their bots.
"Robots are going mainstream," IOActive said. "In the very near future robots will be everywhere, on military missions, performing surgery, building skyscrapers, assisting customers at stores, as healthcare attendants, as business assistants, and interacting closely with our families in a myriad of ways.
"If robot ecosystems continue to be vulnerable to hacking, robots could soon end up hurting instead of helping us, and potentially taking the 'fiction' out of science fiction."