Robotic devices and automation platforms — which are similar in many ways — seem to be exploding in the IoT market, and for good reason. The idea behind these systems is to automate or carry out basic tasks so we have more time to do the important stuff.
But a new study from authors at IOActive, reveals that robots are just like many other technologies that exist today — they are not inherently secure and present a lot of risks. The paper that presents this info is called Hacking Robots Before Skynet and comes from Cesar Cerrudo, the CTO at IOActive, and Lucas Apa, Senior Security Consultant for the same company.
Cerrudo and Apa present several reasons why this innovative and growing technology may be dangerous in terms of security, privacy and stability. They explain how robot technology is insecure — as is anything connected to the internet — and that lack of security could pose risks.
Since forecasts show global spending on robotics and similar technology will approach $188 billion by 2020, it’s time to start talking about these things.
What Are the Major Security Problems in Robotics?
You can read more about it in Cerrudo and Apa’s report, but below you’ll find the primary reasons why modern robotics are insecure. They rely on insecure wireless connections, don’t follow proper privacy and security protocols, employ poor user authentication measures and lack strict security policies for their default configurations.
Keep in mind, fixing all these points is crucial to building stronger security. Security and privacy are not to be taken lightly, and these problems present sizable vulnerabilities. And that’s unfortunate because there are lots of things we’d rather let robots do — like vacuum.
Robotic smart vacuums can roam around the home on a schedule and clean. They vacuum dirt, dust and nasties so you don’t have to spend your weekends lugging around a machine or sweeping. If you do have to clean at the end of the week, there’s a lot less to do thanks to your little robotic buddy.
This is just from the consumer side of things and only looks at a single type of device, but it’s an example of something seemingly innocuous that represents a real security risk. Corporations have thousands of robotic options, from the enterprise and corporate world to industrial setups. Amazon even uses robots in their shipping and packaging warehouses.
An insecure robot with access to millions of addresses — and their preferred spending habits — could be a hacker’s dream. Such risks don’t even factor in security risks from external sources, like employees. Regardless of intent, it’s entirely possible for your workforce to cause security breaches.
Their personal devices can be a liability for an internal network. Even unsanctioned activities and usage on company devices and systems can pose major security risks. Making sure employees have the proper training in security and technology is crucial to the safety of your business.
Perhaps even more important is fixing the following security issues in robotics and autonomy systems.
- Insecure Connections
Most robotic devices or IoT devices rely on Bluetooth and Wi-Fi wireless protocols to access the internet and interface with other tech. While these connection methods are perhaps not the most secure, the problem isn’t the technology itself. The problem is how data is being transmitted.
Most data is being sent as clear, unhindered content, and, when it’s encrypted, the methods used are poor. Poor encryption methods mean anyone who gets access to the data has all the information they need to carry out attacks or cause harm.
- Privacy Falls by the Wayside
As most platforms do, robotic and IoT devices report data remotely to various servers and company systems, sometimes even without user consent or permission. In some cases, data collection and reporting is necessary, while in others it is not. Permission doesn’t necessarily matter. The real problem is that sensitive data is not just being transmitted, it’s also at risk.
The data at risk could include mobile network and device details, user trends or patterns, current GPS data, tracked stats and much more. If a hacker gains access to the data being transmitted, they could cause a lot of harm, but most of the users would be none the wiser as to what’s happening, at least until the company involved announces the finer details.
- User Authentication Is Not Strict
It doesn’t matter what a robotic unit is doing, only authorized users should be able to deliver commands and control it. You don’t want an outsider tapping into your system wreaking havoc. Often, there are no authentication measures employed — users don’t even have to login or prove their identity to interface with these devices.
In the few cases where an authentication system is used, it’s easy to bypass. The last thing you need is your robot vacuum being hacked and used as a spy tool when a built-in camera and sensors were meant to help it avoid obstacles, not output a live feed. It just goes to show that even something as simple as a robot vacuum needs proper security and privacy measures.
- Default Configuration Security Is Lacking
When you get a new modem or router, there is a user-based administrative account, and then there is a higher-level service account. Most consumers don’t even know about the service account or have the information to access it — even if it’s readily available.
Because it’s a high-level account with unfettered access to the system, most companies adhere to strict security policies to ensure someone who isn’t supposed to can’t gain access. Robots and IoT devices are not securely protected by such measures. The default configuration, settings, passwords and accounts are super easy to access even by guessing.
Imagine what kind of damage a stranger could do to a platform or system after gaining unhindered, administrative access?
Enhance Security for Robots
Robots are a part of our lives today — whether it’s because we ordered a gift for Mother’s Day from Amazon and had it shipped to her directly or that we own a bot ourselves to help with the cleaning. And, no matter how we use them or how inconsequential it seems, we need to ensure proper measures have been put in place to avoid a security breach.