LAS VEGAS — Science fiction author Isaac Asimov famously defined the Three Laws of Robotics, with the very first law being that a robot should do no harm to a human. At the Black Hat USA conference here, security researchers from Politecnico di Milano and Trend Micro are set to detail how that first law can be broken.
In an interview ahead of the talk, Federico Maggi, Senior Threat Researcher at Trend Micro, provided insight into the what the risks are and where vulnerabilities exist with connected industrial robots.
“Instead of just focusing on the robots, we looked at the whole context of where they normally operate,” Maggi said. “Robots work as part of an IT system, so vulnerabilities are naturally going to occur.”
As such, the researchers looked for entry points that an attacker might use, including looking at the networks that connect robots. The researchers discovered that it is possible, without modifying any code that is running on the industrial robot, for a hacker to introduce an action that could lead to a production defect.
For example, if an industrial robot is being used to manufacture parts for an aircraft, an operation can be sent by attacker that would lead to the production of a defective part that could eventually have a catastrophic impact on a airplane and human lives.
The industrial robots that the researchers looked at are connected in various ways, including standard Ethernet as well different proprietary approaches. When it comes to connecting to the wider network and the internet, Maggi said that most industrial robots will connect via a service box router that will have a cellular router connected to it. The service box is typically used by the industrial robot vendors for remote maintenance.
Maggi said that the service box routers are much like those that are found in an office or home environment, except that they are designed to work in industrial environments so they are larger and more rugged. The researchers discovered that not all service box routers are properly configured and are exposed to the open public internet.
“Clearly the fact that the service box is exposed doesn’t mean it’s hack-able but it means that an attacker can find targets,” Maggi said.
Using the Shodan search tool and a specific query, Maggi said that it’s possible to find industrial robots, though he cautioned there are only approximately 30 that he could find directly. He added that simply searching for industrial robots isn’t going to yield many results, because the robots aren’t always on or easily discoverable.
“Robots are often exposed through the third party service box routers,” Maggi said. “So attackers should look at the fingerprints of industrial routers.”
Maggi and his co-researchers looked at 12 major industrial router manufacturers and discovered how easy the routers were able to be found with Shodan. He added that even though he’s not always sure that the industrial routers are in front of robots, they are certainly in front of some form of industrial infrastructure.
“So the problem is actually bigger than just attacking robots,” Maggi said. “The vendors are not doing a great job of making it difficult to fingerprint industrial routers.”
He added that with a simple Shodan search, it’s often easy to even find the serial numbers of a connected industrial router. Maggi said that router vendors can claim that there are no vulnerabilities in their routers and they are only exposing some information about the router. That said, Maggi emphasized that attackers can learn a lot from a router’s information.
“In my opinion, it shouldn’t be that easy to get information about industrial routers,” he said.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.