Industrial robots are now being used to assemble everything from airplanes to smartphones, using human-like arms to mechanically repeat the same processes over and over, thousands of times a day with nanometric precision.
But according to a new report entitled “Rogue Automation,” some robots have flaws that could make them vulnerable to advanced hackers, who could steal data or alter a robot’s movements remotely, like a scene out of science fiction.
“Attacks on industrial environments in these sectors could have serious consequences, including operational failure, physical damage, environmental harm and injury or loss of life,” according to Federico Maggi, a researcher at Trend Micro, and Marcello Pogliani, an information security researcher at Politecnico di Milano, in a research report reviewed by Bloomberg News. The report will be presented Wednesday at a virtual forum organized by Black Hat, which hosts cybersecurity events around the world.
Robots are often connected to networks and run via software, according to the report, and previously unknown vulnerabilities could allow hackers to hide malicious code in them and other automated, programmable manufacturing machines. The researcher found flaws in software produced and distributed by the Swedish-Swiss multinational ABB, one of the world’s largest industrial robot makers. They also found other vulnerabilities in one of industry’s most popular open-source software called “Robot Operating System Industrial”, or Ros-I, adapted for ABB and for Kuka AG, a German robot maker.
Maggi and Pogliani said two years ago they “stumbled upon something we had never seen before,” an app store run by ABB for heavy industrial machines including robots. The apps were written in ABB’s proprietary programming language used to automate industrial machines, the types of robots used to assemble cars or handle processed food. They downloaded and reverse engineered some of the apps to figure out how they worked and discovered a vulnerability in one of the apps for ABB robots — just the type of thing a hacker could exploit, they said.
The flaw would have allowed an attacker on the network to exfiltrate any files from the robot controller, including potentially sensitive data. ABB’s app store itself also had a vulnerability, according to the researchers. Hackers could upload apps from the store by bypassing validation procedures and making them immediately available to the public even if still pending approval, the researchers said.
“Industrial secrets are traded for very high prices in underground marketplaces and have become one of the main targets of cyber warfare operations,” the paper said. A vulnerability scanner designed by the researchers discovered another class of flaws into a Ros-I’s software component for Kuka and ABB robots that could have allowed an attacker to interfere with robots’ movements, according to the report.
Vulnerabilities related to ABB have been acknowledged and solved by the company while flaws found into Ros-I software have been mitigated by Ros consortium and confirmed by the U.S. Cybersecurity & Infrastructure Security Agency, also known as CISA.
A spokesman for ABB said the company “has fixed the concerns in the Trend Micro tests, which helped us provide greater security for equipment in the market.” There is no indication of data exfiltration nor any customers affected by it, he added.
A spokeswoman for Kuka said “Ros-I is an open source project, not developed by Kuka and not part of our portfolio.” Universities and research institutes decide whether they want to integrate Ros-I via the interface themselves, she added.
Industrial robots are a fast-growing area in the industrial sector, with historical growth rates exceeding 20% in unit terms, with an annual value of $16 billion based on International Federation of Robotics data. Even as China’s foray into the robots is slowing and the sector may see a decline in 2020, long-term fundamentals remain largely intact, driven by factors such as aging demographics and demand for quality, Bloomberg Intelligence analyst Mustafa Okur said.