SEATTLE, WA March 9, 2018 — IOActive, Inc., the worldwide leader in research-driven security services, released a blog post today outlining how its researchers, Cesar Cerrudo and Lucas Apa, conducted the first-ever ransomware attack on robots. The blog post titled, “Robots Want Bitcoins too!,” details the hack of commercially-available Pepper and NAO robots, developed by SoftBank Robotics, who has sold over 30,000 worldwide to-date. IOActive senior security consultant, Lucas Apa, is presenting this Proof-of-Concept (PoC) attack today during his “Robots Threats are Challenging our Safety” presentation at the 2018 Kaspersky Security Analyst Summit (SAS) in Cancun, Mexico.
According to IDC, robotics spending is expected to reach $230.7 billion by 2021. Many industries rely on robots, including industrial manufacturing, automotive, retail, restaurants and more, to expedite processes usually handled by humans. According to Cerrudo and Apa, if robot vulnerabilities are exploited to upload ransomware, a business could lose access to data, robot production could shut down, and businesses could wait weeks for costly robots to be repaired.
“It’s no secret that ransomware attacks have become a preferred method for cybercriminals to get monetary profit by encrypting victim information and requiring a ransom to get the information back,” said Lucas Apa, Senior Security Consultant at IOActive. “Knowing that, we decided to conduct a proof-of-concept ransomware attack on the NAO robot, leveraging vulnerabilities we uncovered in our prior research in 2017. What we found was pretty astonishing: ransomware attacks could be used against business owners to interrupt their businesses and coerce them into paying ransom to recover their valuable assets. The robots could also malfunction which may take weeks to return them to operational status. Unfortunately, every second a robot is non-operational, businesses and factories are losing lots of money.”
This new research on robotic ransomware builds upon the original research that Apa conducted with Cerrudo, CTO at IOActive, in 2017, during which they discovered almost 50 vulnerabilities in robots from various robot technology vendors. As outlined in the original research, “Hacking Robots Before Skynet” and “Hacking Robots Before Skynet – Technical Appendix,” attackers could manipulate the flaws found in these robots to spy via the robot’s microphone and camera, leak data, or cause serious physical harm.
Cerrudo and Apa then took the research a step further, creating and uploading ransomware to the NAO robot model, which has the same operating system as the SoftBank Pepper model. By injecting custom code into any behavior file classes, they altered the robot behaviors to be malicious. Possible malicious behavior on an infected robot includes complete interruptions in service, pornographic content on the robot display, the use of curse words, even doing violent movements. The infected robot could also be an entryway into other internal networks at a business, offering backdoor access to hackers and an entry point for layer penetration to steal sensitive data.
“Even though our proof of concept ransomware impacted SoftBank’s NAO and Pepper robots, the same attack could be possible on almost any vulnerable robot,” added Apa. “Robot vendors should improve security as well as the restore and update mechanisms of their robots to minimize the ransomware threat. If robot vendors don’t act quickly, ransomware attacks on robots could cripple businesses worldwide.”
IOActive informed SoftBank of the findings through responsible disclosure in January 2017 and is not aware of any fix available yet.
To view this research on IOActive’s blog, please visit: http://blog.ioactive.com/2018/03/robots-want-bitcoins-too.html
To view the video demonstration of the robot, please visit IOActive’s YouTube channel: https://youtu.be/4djvZjme_-M
IOActive is the industry’s only research-driven, high-end information security services firm with a proven history of better securing our customers through real-world scenarios created by our security experts. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from security advising to penetration testing and application code assessment to chip reverse engineering across multiple industries. IOActive is the only security services firm that has a dedicated practice focusing on Smart Cities and the transportation and technology that connects them. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, US, with global operations through the Americas, EMEA, and Asia Pac regions. Visit www.ioactive.com for more information. Read the IOActive Labs Research Blog: http://blog.ioactive.com. Follow IOActive on Twitter: http://twitter.com/ioactive.