Add industrial robots to the list of internet-connected devices vulnerable to hackers
If you thought getting your smart, internet-connected TV hacked was bad, wait until a production line of big robots gets hacked.
The software that runs internet-connected industrial robots is outdated and vulnerable to hacking, according to a new report from cybersecurity firm Trend Micro and the Politecnico de Milano. The researchers found tens of thousands of industrial devices were susceptible to hackers, which included industrial robots.
What could happen if an industrial robot were hacked
"The worst-case scenario, besides all the safety functions being overridden and killing factory workers outright, would be introducing subtle defects that will lead to failures down the road, things catching on fire, safety systems failing, loss of structural integrity, etc," Core Security system engineer Bobby Kuzma said in an email.
Vice president of security at Radware Carl Herberger said in an email that "it is not impossible to think that a hacker could take control of this device and endanger worker safety by manipulating movements and actions."
The internet of things has plenty of potential for murder — someone could turn off your thermostat in the middle of a cold winter's night or remotely deactivate someone's pacemaker. With industrial robots, it's not just human workers alongside them that are in immediate danger, but end users as well. As ZDNet pointed out, industrial robots are used in aerospace, automotive, pharmaceutical and electronics manufacturing. A hacker could breach an industrial robot and manipulate the manufacturing process, resulting in faulty planes, automobiles, smartphones, etc.
"Depending on what the product actually is, a shoddy or flawed device could potentially threaten consumer well-being," Herberger said.
"It would be incredibly irresponsible to leverage the current Internet for robotics," Barrett Lyon, Head of Security Research and Development at Neustar said. "A robot is not much different than any of the technology that has been connected to the Internet and if we use history as a lesson, there is great concern. In networking we're at an infantile stage and expecting devices like robots to be safely operated from what we have now would be borderline criminal. In the past there have been industrial devices connected accidentally or purposefully on the Internet and it's had great consequences."
"If you don't trust the internet for voting for the president of the United States, why would you trust it to operate robotics that could potentially harm or damage people?" Lyon asked.
Safety is not a priority
We've already seen the magnitude of a terrible internet of things — thanks to poorly secured webcams, a Mirai botnet was able to take down Twitter, Reddit, Spotify and a host of other sites in October. Herberger said that both consumers and manufacturers need to be mindful about internet of things security, but that it ultimately begins when developing and testing the product. And that's on manufacturers.
"As connected devices have continued to become more widespread in both industrial and consumer spaces, it is clear that cybersecurity has widely been considered a secondary priority," Herberger said. "The IoT movement has pushed companies to rapidly create connected devices, often with little to no security, leaving huge loopholes for malicious hackers."
The report, titled Rogue Robots: Testing the Limits of an Industrial Robot's Security, details several ways in which a hacker could attack a vulnerable industrial robot system. These attacks could result in sabotaging products, which hackers could in turn use to seek ransom from manufacturers. There is also the potential for physical damage to the robot, production line and people working alongside them. Lastly, the report notes that industrial robots can store data, such as industry secrets, which could be breached by hackers.
"Plain and simple, if any device, ranging from an industrial robot to a security camera to a thermostat, is being connected to the internet, there needs to be cybersecurity protections put in place from the start," Herberger said.