-
Introducing the Robot Vulnerability Database (RVD)
Authors:
Víctor Mayoral Vilches,
Lander Usategui San Juan,
Bernhard Dieber,
Unai Ayucar Carbajo,
Endika Gil-Uriarte
Abstract:
Cybersecurity in robotics is an emerging topic that has gained significant traction. Researchers have demonstrated some of the potentials and effects of cyber attacks on robots lately. This implies safety related adverse consequences causing human harm, death or lead to significant integrity loss clearly overcoming the privacy concerns in classical IT world. In cybersecurity research, the use of v…
▽ More
Cybersecurity in robotics is an emerging topic that has gained significant traction. Researchers have demonstrated some of the potentials and effects of cyber attacks on robots lately. This implies safety related adverse consequences causing human harm, death or lead to significant integrity loss clearly overcoming the privacy concerns in classical IT world. In cybersecurity research, the use of vulnerability databases is a very reliable tool to responsibly disclose vulnerabilities in software products and raise willingness of vendors to address these issues. In this paper we argue, that existing vulnerability databases are of insufficient information density and show some biased content with respect to vulnerabilities in robots. This paper presents the Robot Vulnerability Database (RVD), a directory for responsible disclosure of bugs, weaknesses and vulnerabilities in robots. This article aims to describe the design and process as well as the associated disclosure policy behind RVD. Furthermore the authors present preliminary selected vulnerabilities already contained in RVD and call to the robotics and security communities for contribution to the endeavour of eliminating zero-day vulnerabilities in robotics.
△ Less
Submitted 12 November, 2021; v1 submitted 24 December, 2019;
originally announced December 2019.
-
Industrial robot ransomware: Akerbeltz
Authors:
Víctor Mayoral-Vilches,
Lander Usategui San Juan,
Unai Ayucar Carbajo,
Rubén Campo,
Xabier Sáez de Cámara,
Oxel Urzelai,
Nuria García,
Endika Gil-Uriarte
Abstract:
Cybersecurity lessons have not been learnt from the dawn of other technological industries. In robotics, the existing insecurity landscape needs to be addressed immediately. Several manufacturers profiting from the lack of general awareness are systematically ignoring their responsibilities by claiming their insecure (open) systems facilitate system integration, disregarding the safety, privacy an…
▽ More
Cybersecurity lessons have not been learnt from the dawn of other technological industries. In robotics, the existing insecurity landscape needs to be addressed immediately. Several manufacturers profiting from the lack of general awareness are systematically ignoring their responsibilities by claiming their insecure (open) systems facilitate system integration, disregarding the safety, privacy and ethical consequences that their (lack of) actions have. In an attempt to raise awareness and illustrate the "insecurity by design in robotics" we have created Akerbeltz, the first known instance of industrial robot ransomware. Our malware is demonstrated using a leading brand for industrial collaborative robots, Universal Robots. We describe the rationale behind our target and discuss the general flow of the attack including the initial cyber-intrusion, lateral movement and later control phase. We urge security researchers to adopt some sort of disclosure policy that forces manufacturers to react promptly. We advocate against security by obscurity and encourage the release of similar actions once vulnerability reports fall into a dead-end. Actions are now to be taken to abide a future free of zero-days for robotics.
△ Less
Submitted 16 December, 2019;
originally announced December 2019.
-
Robotics CTF (RCTF), a playground for robot hacking
Authors:
Gorka Olalde Mendia,
Lander Usategui San Juan,
Xabier Perez Bascaran,
Asier Bilbao Calvo,
Alejandro Hernández Cordero,
Irati Zamalloa Ugarte,
Aday Muñiz Rosas,
David Mayoral Vilches,
Unai Ayucar Carbajo,
Laura Alzola Kirschgens,
Víctor Mayoral Vilches,
Endika Gil-Uriarte
Abstract:
Robots state of insecurity is onstage. There is an emerging concern about major robot vulnerabilities and their adverse consequences. However, there is still a considerable gap between robotics and cybersecurity domains. For the purpose of filling that gap, the present technical report presents the Robotics CTF (RCTF), an online playground to challenge robot security from any browser. We describe…
▽ More
Robots state of insecurity is onstage. There is an emerging concern about major robot vulnerabilities and their adverse consequences. However, there is still a considerable gap between robotics and cybersecurity domains. For the purpose of filling that gap, the present technical report presents the Robotics CTF (RCTF), an online playground to challenge robot security from any browser. We describe the architecture of the RCTF and provide 9 scenarios where hackers can challenge the security of different robotic setups. Our work empowers security researchers to a) reproduce virtual robotic scenarios locally and b) change the networking setup to mimic real robot targets. We advocate for hacker powered security in robotics and contribute by open sourcing our scenarios.
△ Less
Submitted 12 November, 2021; v1 submitted 1 October, 2018;
originally announced October 2018.