Skip to content

Robot Hacking Manual (RHM). From robotics to cybersecurity. Papers, notes and writeups from a journey into robot cybersecurity.

License

Notifications You must be signed in to change notification settings

vmayoral/robot_hacking_manual

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

RHM: Robot Hacking Manual

Download in PDF RHM v0.5Read online | Robot hacks

The Robot Hacking Manual (RHM) is an introductory series about cybersecurity for robots, with an attempt to provide comprehensive case studies and step-by-step tutorials with the intent to raise awareness in the field and highlight the importance of taking a security-first1 approach. The material available here is also a personal learning attempt and it's disconnected from any particular organization. Content is provided as is and by no means I encourage or promote the unauthorized tampering of robotic systems or related technologies.

Cite this work:

@article{mayoral2022robot,
  title={Robot Hacking Manual (RHM)},
  author={Mayoral-Vilches, V{\'\i}ctor},
  journal={arXiv preprint arXiv:2203.04765},
  year={2022}
}

Robot hacks

A non-exhaustive list of cybersecurity research in robotics containing various related robot vulnerabilities and attacks due to cybersecurity issues.

👹 Codename/theme 🤖 Robotics technology affected 👨‍🔬 Researchers 📖 Description 📅 Date
Reverse engineering and hacking Ecovacs robots (slides, video, news article) Dennis Giese, Braelynn Vulnerabilities and security risks of Ecovacs smart home robots, highlighting serious flaws such as broken encryption, missing certificate verification, inadequate access control, and unauthorized live camera access. Building on years of experience hacking devices from brands like Roborock and Xiaomi, the presenters dive into the alarming security issues within Ecovacs robots, the market leader in home robotics. The talk covers the difficulties of reporting bugs to the company and warns against relying on third-party certifications. It emphasizes the importance of being cautious with device choices and even personal relationships, due to the potential privacy risks involved. 24-08-2024
iRobot’s Roomba J7 series robot vacuum N/A Personal pictures in a home environment were found in the Internet taken by an iRobot’s Roomba J7 series robot vacuum. The photos vary in type and in sensitivity. The most intimate image we saw was the series of video stills featuring the young woman on the toilet, her face blocked in the lead image but unobscured in the grainy scroll of shots below. In another image, a boy who appears to be eight or nine years old, and whose face is clearly visible, is sprawled on his stomach across a hallway floor. A triangular flop of hair spills across his forehead as he stares, with apparent amusement, at the object recording him from just below eye level. Various other home pictures that tag objects in the environment were found. 19-19-2022
Unitree's Go1 d0tslash (MAVProxyUser in GitHub) A hacker found a kill switch for a gun–wielding legged robot2345. The hack itself leverages a kill switch functionality/technology that ships in all units of the robot and that listens for a particular signal at 433Mhz. When it hears the signal, the robot shuts down. d0tslash used a portable multi-tool for pentesters (Flipper Zero) to emulate the shutdown, copying the signal the robot dog’s remote broadcasts over the 433MHz frequency. 09-08-2022
Enabot's Ebo Air Modux6 Researchers from Modux found a security flaw in Enabot Ebo Air #robot and responsibly disclosed their findings. Attack vectors could lead to remote-controlled robot spy units. Major entry point appears to be a hardcoded system administrator password that is weak and shared across all of these robots. Researchers also found information disclosure issues that could lead attackers to exfiltrate home (e.g. home WiFi password) that could then be used to pivot into other devices through local network. 21-07-2022
Analyzing the Data Distribution Service (DDS) Protocol for Critical Industries7 ROS 2, eProsima's Fast-DDS, OCI's OpenDDS, ADLINK's (now ZettaScale's) CycloneDDS, RTI's ConnextDDS, Gurum Networks's GurumDDS and Twin Oaks Computing's CoreDX DDS Ta-Lun Yen, Federico Maggi, Víctor Mayoral-Vilches, Erik Boasson et al. (various)7 This research looked at the OMG Data Distribution Service (DDS) standards and its implementations from a security angle. 12 CVE IDs were discovered 🆘, 1 specification-level vulnerability identified 💻, and 6 DDS implementations were analyzed (3 open source, 3 proprietary). Results hinted that DDS's security mechanisms were not secure and much effort on this side was required to protect sensitive industrial and military systems powered by this communication middleware. The research group detected that these security issues were present in almost 650 different devices exposed on the Internet, across 34 countries and affecting 100 organizations through 89 Internet Service Providers (ISPs). 19-04-2022
Hacking ROS 2, the Robot Operating System8 ROS 2 Víctor Mayoral-Vilches et al. (various)89 A team of security researchers led by the spanish firm Alias Robotics on their robotics focus discovered various security vulnerabilities that led to compromising the Robot Operating System 2 (ROS 2) through its underlying communication middleware (the DDS communications middleware). Researchers demonstrated how to dissect ROS 2 communications and perform ROS 2 reconnaissance, ROS 2 network denial of service through reflection attacks, and ROS 2 (Node) crashing by exploiting memory overflows which could lead to remote execution of arbitrary code. To mitigate these security vulnerabilities, Alias Robotics contributed to various open source tools including to SROS29 with a series of developer tool extensions that help detect some of these insecurities in ROS 2 and DDS. ROS 2 community-owner Open Robotics did not follow up with these results or contributions and disregarded overall its relevance, pushing security responsibility aside10 22-04-2022
JekyllBot:511 Aethon TUG smart robots (various) Cynerio11 JekyllBot:5 is a collection of five critical zero-day vulnerabilities that enable remote control of Aethon TUG smart autonomous mobile robots and their online console, devices that are increasingly used for deliveries in global hospitals. More tech details about security findings at 12. 01-04-2022
Robot Teardown, stripping industrial robots for good13 Universal Robots' UR3, UR5, UR10, UR3e, UR5e, UR10e and UR16e Víctor Mayoral-Vilches et al. (various)14 This research led by Alias Robotics introduced and advocated for robot teardown as an approach to study robot hardware architectures and fuel security research. Security researchers showed how teardown can help understanding the underlying hardware for uncovering security vulnerabilities. The group showed how robot teardown helped uncover more than 100 security flaws with 17 new CVE IDs granted over a period of two years. The group also demonstrated how various robot manufacturers are employing various planned obsolescense practices and how through teardown, planned obsolescence hardware limitations can be identified and bypassed obtaining full control of the hardware and giving it back to users, which poses both an opportunity to claim the right to repair as well as a threat to various robot manufacturers’ business models 20-07-2021
Rogue Automation13 (various robotic programming languages/frameworks) ABB's Rapid, Comau's PDL2, Denso's PacScript, Fanuc's Karel, Kawasaki's AS, Kuka's KRL, Mitsubishi's Melfa, and Universal Robots's URScript Federico Maggi, Marcello Pogliani (various)13 This research unveils various hidden risks of industrial automation programming languages and frameworks used in robots from ABB, Comau, Denso, Fanuc, Kawasaki, Kuka, Mitsubishi, and Universal Robots. The security analysis performed in here reveals critical flaws across these technologies and their repercussions for smart factories. 01-08-2020
Securing disinfection robots in times of COVID-191516 UVD Robots' UVD Robot® Model B, UVD Robot® Model A Víctor Mayoral-Vilches et al. (Alias Robotics)1516 The robots used in many medical centres to fight against COVID-19 for disinfection tasks were found vulnerable to various previously reported vulnerabilities (see 17) while using Ultraviolet (UV) light, which can affect humans causing suntan, sunburn or even a reportedly increased risk of skin cancer, among others. The team at Alias Robotics confirmed experimentally these issues and found many of these robots insecure, with many unpatched security flaws and easily accessible in public spaces. This led them to develop mitigations for these outstanding security flaws and offered free licenses16 for such patches to hospitals and industry during the pandemic 19-09-2020
The week of Mobile Industrial Robots' bugs17 Mobile Industrial Robots' MiR100, MiR200, MiR250, MiR500, MiR600, MiR1000, MiR1350, Easy Robotics' ER200, Enabled Robotics' ER-FLEX, ER-LITE, ER-ONE, UVD Robots' UVD Robot® Model B, UVD Robot® Model A Víctor Mayoral-Vilches et al. (Alias Robotics)18 Having identified relevant preliminary security issues, after months of failed interactions with Mobile Industrial Robots’ (MiR) robot manufacturer while trying to help secure their robots, with this disclosure, Alias Robotics decided to empower end-users of Mobile Industrial Robots’ with information. The disclosure included a week of hacking efforts that finalized with the public release of 14 cybersecurity vulnerabilities affecting MiR industrial robots and other downstream manufacturers, impacting thousands of robots. More than 10 different robot types were affected operating across industrial spaces and all the way to public environments, such as airports and hospitals. 11 new CVE IDs were assigned as part of this effort 24-06-2020
Attacks on Smart Manufacturing Systems19 Mitsubishi Melfa V-2AJ Federico Maggi, Marcello Pogliani (various)19 Systematic security analysis exploring a variety of attack vectors on a real smart manufacturing system, assessing the attacks that could be feasibly launched on a complex smart manufacturing system 01-05-2020
The week of Universal Robots' bugs18 Universal Robots' UR3, UR5, UR10, UR3e, UR5e, UR10e and UR16e Víctor Mayoral-Vilches et al. (Alias Robotics)18 For years Universal Robots did not care nor responded about cybersecurity issues with their products. Motivated by this attitude, Alias Robotics' team launched an initiative to empower Universal Robots' end-users, distributors and system integrators with the information they so much require to make use of this technology securely. This effort was called the week of Universal Robots' bugs and in total, more than 80 security issues were reported in the robots of Universal robots 31-03-2020
Akerbeltz: Industrial robot ransomware20 Universal Robots' UR3, UR5, UR10 Víctor Mayoral-Vilches et al. (Alias Robotics)20 In an attempt to raise awareness and illustrate the ”insecurity by design in robotics”, the team at Alias Robotics created Akerbeltz, the first known instance of industrial robot ransomware. The malware was demonstrated using the UR3 robot from a leading brand for industrial collaborative robots, Universal Robots. The team of researchers discussed the general flow of the attack including the initial cyber-intrusion, lateral movement and later control phase 16-12-2019
Rogue Robots21 ABB’s IRB140 Federico Maggi, Davide Quarta et al. (various)21 Explored, theoretically and experimentally, the challenges and impacts of the security of modern industrial robots. Researchers also simulated an entire attack algorithm from an entry point to infiltration and compromise to demonstrate how an attacker would make use of existing vulnerabilities in order to perform various attacks. 01-05-2017
Hacking Robots Before Skynet22 SoftBank Robotics's NAO and Pepper, UBTECH Robotics' Alpha 1S and Alpha 2, ROBOTIS' OP2 and THORMANG3, Universal Robots' UR3, UR5, UR10, Rethink Robotics' Baxter and Sawyer and several robots from Asratec Corp Lucas Apa and César Cerrudo (IOActive)22 Discovered critical cybersecurity issues in several robots from multiple vendors which hinted about the lack of security concern and awareness in robotics. 30-01-2017
Robot Operating System (ROS): Safe & Insecure23 ROS Lubomir Stroetmann (softSCheck)23 This is one of the earliest studies touching on ROS and offers security insights and examples about the lack of security considerations in ROS and the wide attack surface exposed by it. The author hints that with ROS, protection mechanism depends on the (security) expertise of the user, which is not a good assumption in the yet security-immature robotics community. Moreover the author hints about various vulnerabilities that are easily exploitable due to the XMLRPC adoption within the ROS message-passing infrastructure including various XML bomb attacks (e.g. "billion laughs") 28-02-2014

Footnotes

  1. Read on what a security-first approach in here.

  2. Hacker detects a kill switch to take down the gun-toting robot dog https://interestingengineering.com/innovation/gun-toting-robot-dog-kill-switch

  3. Hacker Finds Kill Switch for Submachine Gun–Wielding Robot Dog https://www.vice.com/en/article/akeexk/hacker-finds-kill-switch-for-submachine-gun-wielding-robot-dog

  4. HangZhou Yushu Technology (Unitree) go1 development notes https://github.com/MAVProxyUser/YushuTechUnitreeGo1#pdb-emergency-shut-off-backdoor-no-way-to-disable

  5. Russia's new 'robot dog war machine' is just Chinese household 'toy' with gun taped on https://www.dailystar.co.uk/news/world-news/russias-new-robot-dog-war-27765427

  6. Serious security issues uncovered with the Enabot Smart Robot https://www.modux.co.uk/post/serious-security-issues-uncovered-with-the-enabot-smart-robot. Flaws in Enabot Ebo Air Home Security Robot Allowed Attackers to Spy on Users https://www.hackread.com/enabot-ebo-air-home-security-robot-flaws-spy-on-users/. Enabot Ebo Air smart robot hacking flaw found, and fixed https://www.which.co.uk/news/article/enabot-ebo-air-smart-robot-hacking-flaw-found-and-fixed-aJCkd2I4cxPs

  7. Analyzing the Data Distribution Service (DDS) Protocol for Critical Industries https://documents.trendmicro.com/assets/white_papers/wp-a-security-analysis-of-the-data-distribution-service-dds-protocol.pdf 2

  8. Case study, hacking the Robot Operating System (ROS) 2 https://github.com/vmayoral/robot_hacking_manual/tree/master/1_case_studies/2_ros2. See https://news.aliasrobotics.com/alias-robotics-dds-ros2-vulnerabilities/ and https://www.prnewswire.com/news-releases/alias-robotics-discovers-numerous-and-dangerous-vulnerabilities-in-the-robot-operating-systems-ros-communications-that-can-have-devastating-consequences-301513741.html for public announcements. See https://www.robotics247.com/article/alias_robotics_claims_to_find_security_flaws_in_ros_2_open_robotics_responds for some public discussions 2

  9. SROS2: Usable Cyber Security Tools for ROS 2 https://aliasrobotics.com/files/SROS2.pdf 2

  10. Alias Robotics Claims to Find Security Flaws in ROS 2; Open Robotics Responds https://www.robotics247.com/article/alias_robotics_claims_to_find_security_flaws_in_ros_2_open_robotics_responds

  11. JekyllBot:5 https://www.cynerio.com/jekyllbot-5-vulnerability-disclosure-report 2

  12. JekyllBot:5 allows attackers who exploit these vulnerabilities to: a) See real-time footage ofa hospital through the robots’ cameras, b) Take videos and pictures of vulnerable patients and hospital interiors, c) Interfere with critical or time-sensitive patient care and operations by shutting down or obstructing hospital elevators and door locking systems, d) Access patient medical records inviolation of HIPAA and other international regulations regarding the protection ofpersonal health information, e) Take control of the robots’ movement and crash them into people and objects, or use them to harass patients and staff, f) Disrupt the regular maintenancetasks regularly performed by the robots, including house keeping, cleaning, and delivery errands, g) Disrupt or block robot delivery of critical patient medication, or stealit outright, with potentially damaging or fatal patient outcomes as a result, h) Hijack legitimate administrative user sessions in the robots’ online portal and inject malware through their browser to perpetrate further cyberattacks on IT and security team members at healthcare facilities.

  13. Rogue Automation: Vulnerable and Malicious Code in Industrial Programming https://robosec.org/downloads/wp-rogue-automation-vulnerable-and-malicious-code-in-industrial-programming.pdf 2 3

  14. Robot teardown, stripping industrial robots for good https://aliasrobotics.com/files/robot_teardown_paper.pdf

  15. Securing disinfection robots in times of COVID-19 https://news.aliasrobotics.com/securing-uvdrobots/ 2

  16. Insecure robots during COVID-19 https://www.youtube.com/watch?v=1lNNYpSP8Dg (see https://www.youtube.com/watch?v=QFubEoWm7bA for a version in spanish) 2 3

  17. The week of Mobile Industrial Robots' bugs https://news.aliasrobotics.com/the-week-of-mobile-industrial-robots-bugs/ 2

  18. The week of Universal Robots' bugs https://news.aliasrobotics.com/week-of-universal-robots-bugs-exposing-insecurity/ 2 3

  19. Attacks on Smart Manufacturing Systems A Forward-looking Security Analysis https://robosec.org/downloads/wp-attacks-on-smart-manufacturing-systems.pdf 2

  20. Industrial robot ransomware: Akerbeltz https://arxiv.org/pdf/1912.07714.pdf 2

  21. Rogue Robots: Testing the Limits of an Industrial Robot’s Security https://www.blackhat.com/docs/us-17/thursday/us-17-Quarta-Breaking-The-Laws-Of-Robotics-Attacking-Industrial-Robots-wp.pdf 2

  22. Hacking Robots Before Skynet https://ioactive.com/pdfs/Hacking-Robots-Before-Skynet.pdf 2

  23. Robot Operating System (ROS): Safe & Insecure, Security Investigation of the Robot OS (ROS) https://www.researchgate.net/profile/Hartmut-Pohl/publication/263369999_Robot_Operating_System_ROS_Safe_Insecure/links/57fdf86108ae727563ffd5a6/Robot-Operating-System-ROS-Safe-Insecure.pdf 2