Researchers led by the National University of Singapore recently demonstrated that household robot vacuum cleaners can be hacked to behave like listening devices, which spy on their unsuspecting owners. Could industrial robots be similarly compromised? Here, Claudia Jarrett, US country manager at automation parts supplier EU Automation, assesses the risks for industrial robots.
Hackers have exploited LiDAR (Light Detection And Ranging) scanner technology, as used in the latest iPhone, to turn a household vacuum cleaner into a spying device. If that’s not sinister enough, elsewhere, in an experimental stunt, a friendly-looking humanoid robot was hacked to act like Chucky, the evil killer doll from the Child’s Play movies. A video shows the robot attacking a tomato while emitting an evil laugh.
The latter experiment was designed to demonstrate the vulnerabilities of technologies that can be hacked in an increasingly connected world. While these robots were too small to cause direct physical harm, the same cannot be said for industrial robots. If a hacker were able to override these safety protocols, there would be potential to cause serious harm to workers in the factories that use them.
These hacks may not even be visible to the naked eye. They could entail making smaller and subtler adjustments to the commands or parameters of a robot, rendering an entire product line defective through the insertion of microdefects. Another example is that, aside from physical risks, industrial robots can be hacked to steal trade secrets or other commercially sensitive data.
Whether it is smartphone manufacturing, car-making or the food and beverage sector, factories around the world are already equipped with robots and other automated technologies. So how much of a threat is the possibility of these robots being hacked —and what can manufacturers do about it?
Assessing the threat
For industrial robots, the priority has always been making sure they are safe to operate around humans. While issues of cyber security in industrial robots have been neglected in the past, the same techniques that researchers have used to expose vulnerabilities in consumer robotics have proved just as effective in industrial settings.
Hackers typically use scanners to survey Internet of Things (IoT) devices for weaknesses. Vulnerabilities might include usernames and passwords unchanged from the factory defaults, or glitches in the software that can be discovered through reverse engineering. It’s less the robots themselves, and rather the growing reliance on connectivity and IoT devices that increases the vulnerability.
Hacking a small humanoid robot to act like an evil Chucky doll is one thing. But researchers from the cybersecurity firm IOActive took it a step further, pulling-off a similar feats with industrial robots. They were able to hack an industrial robot arm made by Universal Robotics, overriding the safety protocols of the machine.
In another prominent example, Trend Micro discovered flaws in software produced by ABB. The Rogue Automation report details how researchers encountered an app store created by ABB. By downloading and reverse engineering the apps, they were able to pinpoint a vulnerability and exfiltrate sensitive data. ABB has since fixed the issue.
Open source software is becoming increasing popular — including in industrial applications — but it’s a double-edged sword. On the one hand, open source software allows an army of well-intentioned computer geeks to spot and resolve any potential vulnerabilities or glitches. On the other, it means those with less benign intentions can exploit the same vulnerabilities, if they get there first.
To demonstrate this, Trend Micro’s researchers used their scanner to search for flaws in the popular open source software, Robot Operating System Industrial (Ros-I). Ros-I was first adapted for ABB by Kuka. In doing so, they found flaws in the software component for Kuka and ABB robots that allowed hackers to interfere with the movements of the robots. Users can rest assured the vulnerability no longer exists.
Preparing for the future
Results like these are worrying and offer a warning that manufacturers and regulatory authorities must change their approach. In future, cybersecurity will require more focus, as more and more devices are connected to the IoT.
But what does this focus entail? Sensible manufacturers can continue to exploit the benefits of automation, but must also observe the basics of cyber health. That means downloading and installing the latest software and patches, as well as educating staff on the latest precautions for cyber security.
In the above examples, as with the evil Chucky doll, the hackers needed access to a local network or, at least, the ability to tamper with it. Securing these local networks will be key and, in some instances, it’s simply a case of updating the passwords and usernames from the default factory settings.
It might be the case that newer devices are more vulnerable. Tried-and-tested robots or other automated devices are more likely to have had their security flaws discovered and resolved — such as in the example with Kuka and ABB. The risk with these machines is that their components become obsolete, but partnering with a reliable automation parts supplier such as EU Automation will allow manufacturers to continue relying upon the tech they trust, whether that’s new or obsolete equipment.