Rage against the machine as robots may succumb to hackers

Milan — Industrial robots are now being used to assemble everything from aircraft to smartphones, using human-like arms to mechanically repeat the same processes over and over, thousands of times a day with nanometric precision.

But according to a new report entitled Rogue Automation, some robots have flaws that could make them vulnerable to advanced hackers, who could steal data or alter a robot’s movements remotely, like a scene out of science fiction.

“Attacks on industrial environments in these sectors could have serious consequences, including operational failure, physical damage, environmental harm and injury or loss of life,” according to Federico Maggi, a researcher at Trend Micro, and Marcello Pogliani, an information security researcher at Politecnico di Milano, in a research report reviewed by Bloomberg.

The report will be presented on Wednesday at a virtual forum organised by Black Hat, which provides cyber-security events around the world.

Robots are often connected to networks and run via software, according to the report, and previously unknown vulnerabilities could allow hackers to hide malicious code in them and other automated, programmable manufacturing machines. The researcher found flaws in software produced and distributed by the Swedish-Swiss multinational ABB, among the world’s largest industrial robot-maker.

They also found other vulnerabilities in one of industry’s most popular open source software called robot operating system industrial (Ros-I), adapted for ABB and for Kuka, a German robot-maker.

Maggi and Pogliani said two years ago that they “stumbled upon something we had never seen before”, an app store run by ABB for heavy industrial machines including robots. The apps were written in ABB’s proprietary programming language used to automate industrial machines, the types of robots used to assemble cars or handle processed food.

They downloaded and reverse engineered some of the apps to figure out how they worked and discovered a vulnerability in one of the apps for ABB robots — just the type of thing a hacker could exploit, they said.

Bypassing procedures

The flaw would have allowed an attacker on the network to exfiltrate any files from the robot controller, including potentially sensitive data. ABB’s app store itself also had a vulnerability, according to the researchers. Hackers could upload apps from the store by bypassing validation procedures making them immediately available to the public, even if still pending approval, the researchers said.

“Industrial secrets are traded for very high prices in underground marketplaces and have become one of the main targets of cyber-warfare operations,” the paper said. A vulnerability scanner designed by the researchers discovered another class of flaws in a Ros-I’s software component for Kuka and ABB robots that could have allowed an attacker to interfere with robots’ movements, according to the report.

Vulnerabilities related to ABB have been acknowledged and solved by the company while flaws found in Ros-I software have been mitigated by Ros consortium and confirmed by the US Cybersecurity and Infrastructure Security Agency.

A spokesperson for ABB said the company “has fixed the concerns in the Trend Micro tests, which helped us provide greater security for equipment in the market”. There is no indication of data exfiltration nor any customers affected by it, he said.

A spokesperson for Kuka said “Ros-I is an open source project, not developed by Kuka and not part of our portfolio”. Universities and research institutes decide whether they want to integrate Ros-I via the interface themselves, she said.

Industrial robots are a fast-growing area in the industrial sector, with historical growth rates exceeding 20% in unit terms, with an annual value of $16bn, based on International Federation of Robotics data, Bloomberg Intelligence analyst Mustafa Okur said. Even as China’s foray into robots is slowing and the sector may see a decline in 2020, he said, long-term fundamentals remain largely intact, driven by factors such as ageing demographics and demand for quality.

Bloomberg