Over the past several decades, advances in robotics have made them practically an industry staple, from heavy machinery and textiles all the way to children’s toys and hobbyist RC vehicles.
We trust that these machines are secure, but in reality that’s not always the case. Although it sounds like a plot straight out of a police procedural, there’s a very real possibility of malicious individuals hacking into your seemingly innocuous devices. These vulnerabilities are what make cybersecurity so important for all connected devices.
The world at risk
In March of 2017, research by security firm IOActive revealed startling vulnerabilities in robots we use every day — in factories, in business and in the home. The study examined 10 robots from a variety of areas for security risks, identifying issues like weak cryptography, insecure communications and no authorisations. According to IOActive CEO Caesar Cerrudo, many vital robots — including those used for medicine and in cars — suffer from the same vulnerabilities.
Upon closer examination, the IOActive team discovered that many of the vulnerabilities stemmed from open-source code used during the robot’s development. Although code sharing is common among robotics programmers, it poses a risk if the programs aren’t completely secure. This same sharing could spread vulnerable code in much the same way a virus spreads among humans.
What are the dangers?
Just recently, the BBC reported on the smart doll My Friend Cayla, made by Genesis Toys. The German Federal Network Agency issued a warning to parents, claiming hackers could take advantage of the doll’s unsecured Bluetooth device to listen and even talk to children. However, the UK Toy Retailers Association (TRA) countered by saying the doll is safe.
Despite the TRA’s claims, experts have tested and confirmed the vulnerability is real. Not only does this put children and homes at risk, but the potential for a breach also puts the doll in violation of anti-surveillance laws.
In a separate instance, Rapid7 and Double Robotics, makers of telepresence robots, had to issue patches for security vulnerabilities in their robots. One vulnerability would allow hackers access to sensitive information like GPS coordinates, historical session data and installation keys. A separate issue would have let a hacker gain control of the robot itself, potentially compromising sensitive office documents.
Remarkably, the company opted to leave a third issue, insecure Bluetooth pairing, unpatched. This was because they judged that a hacker could not gain any useful information from just pairing with the robot alone, as their previous patches fixed all vulnerabilities that disrupted movement and data management.
These reports show that these dangers are real — not just media hyperbole. If something as innocuous as a doll or a telepresence bot have these security vulnerabilities, just picture what could happen if hackers gained control of something that more mobile, like an industrial robot or a smart car. In order to counter these dangers, it’s vital to consider them real threats, rather than just the imaginings of someone who’s read too much sci-fi.
How can this be prevented?
Tackling this widespread problem will be difficult, but not impossible. The first logical step is to raise awareness of these issues to the people who write the programs used by connected devices. The concept of risk-based thinking has been a systematic part of business for years and now other industries stand to gain from its integration.
Predicting and countering risks and vulnerabilities during the development stage will reduce the chances of security loopholes making their way into shipped products. The IOActive report recommends that software developers implement a Secure Software Development Life Cycle (SSDLC) into their processes.
SSDLC is a planning structure designed to help build an application from the time it begins to when it’s ready for discontinuing. SSDLC works by adding security checks into pre-existing development practices. This versatility makes the development life cycle highly adaptable while still providing protection against security loopholes.
Additionally, makers need to be sure their robots have secure authentication methods to encrypt sensitive data. Some of the robots tested by IOActive required little to no authentication to access remote services. This allows people to illicitly gain access to the robot through those services.
Encryption of information stored and processed by the robots and their companion apps is another problem area. If the robot can’t encrypt the data it sends to various services, it opens up the possibility for man-in-the-middle attacks. In many of the robots analysed, they didn’t even encrypt sensitive data such as user passwords.
Steps to take
With all these risks, you’ll need to know what steps to take to avoid a breach. As always, your strongest weapon is education. Know that any connected robot — whether it’s an Amazon Echo or a manufacturing robot for your business — can pose a potential risk.
Take the time and do some research before you purchase. If you’re dealing with a representative, request a rundown of the robot’s security precautions. You can also do research on your own through consumer reviews and reports. Remember, the more informed you are, the better your ability to make a safe purchase.
After you’ve bought the robot, make sure you change any default passwords the unit shipped with. At the same time, make sure its software is up to date, as this will ensure that you have the most recent security patches.
Also, disable any options you don’t need the bot to perform. For example, if the robot doesn’t need internet access to do its job, switch off that setting. Make sure you’re familiar with the data the robot collects, because that represents the compromised data in the event of a hack.
As automation technology grows in popularity, the budding robotics industry has a lot of work ahead of it. Unbeknownst to consumers, their devices may have security flaws that put their safety and personal information at risk. It’s clear that both companies and consumers will have to put greater effort into data security to prevent potential cyber disasters from taking place.
Kayla Matthews, technology writer and cybersecurity blogger
Image Credit: Praphan Jampala / Shutterstock