Small Wonder @ Black Hat USA 2021 | Thursday, August 5 - 1:30pm-2:10pm (link) |
Press release (English) | link |
Press release (Spanish) | link |
Robot Teardown report | link |
- Led by Alias Robotics, their researchers will demonstrate at Black Hat 2021 (Las Vegas) how industrial robots are fully exposed to hackers
- In a joint publication, both companies, together with researchers from Alpen-Adria-Universität Klagenfurt, disclose a methodology to study robot hardware architectures and uncover security vulnerabilities
- More than 100 security vulnerabilities were found and planned obsolescence practices identified. Researchers advocate for a right to repair in robotics to fight obsolescence
Alias Robotics, leading the field of robot cybersecurity and Trend Micro, a global cybersecurity leader specialized in the fight against cybercrime worldwide, have started a cooperation to fight cybercrime in robotics.
Researchers from both companies will present the results of three years inspecting industrial robots in Black Hat 2021 (Las Vegas), claimed to be the most respected information security event series internationally. The talk is titled "Small Wonder: Uncovering Planned Obsolescence Practices in Robotics and What This Means for Cybersecurity" and will be presented by Víctor Mayoral-Vilches and Federico Maggi next Thursday, August 5 @ 1:30pm-2:10pm ( Virtual ) .
In this first joint work, Alias Robotics and Trend Micro partnered with Alpen-Adria-Universität Klagenfurt and published a report bringing new results in the field of threat and vulnerability research in robotics.
The work to be presented at Black Hat 2021 advocates for a complementary offensive approach methodology to protect robots in a feasible and timely manner. Building upon a decade of experiences in robotics, researchers review the current status of cybersecurity in robotics and argue about the challenges to secure robotic systems.
Víctor Mayoral-Vilches, Alias Robotics robotics security researcher:
“Complexity makes security in robotics a challenge. The inherent complexity of robotic systems leads to wide attack surfaces and a variety of potential attack vectors which manufacturers are failing to mitigate in reasonable time periods”.
Federico Maggi, senior researcher at Trend Micro:
“Robot teardown is to industrial security what reverse engineering is to software security. Both skills are fundamental to the future generation of security professionals.”
Similar to Ford in the 1920s, most robot manufacturers follow several planned obsolescence practices nowadays and organize dealers (often called distributors) or approved system integrators into private networks, providing repair parts only to certified companies in an attempt to discourage repairs and evade competition.
The collaboration unveiled more than 100 vulnerabilities affecting various manufacturers. Amongst the results obtained, researchers observed a trend from Teradyne, where two of its owned robotics companies (Universal Robots and Mobile Industrial Robots) presented dozens of vulnerabilities. The case of Teradyne is of special interest because its robots are advertised as collaborative, that is: designed to augment human capabilities by closely (physically) cooperating without causing any harm.
Results show evidence that robot teardowns can help the robotics industry and supply chain by significantly improving quality, safety and security. Findings also demonstrate planned obsolescence practices. Authors advocate for a “Right to Repair” in robotics and encourage end-users to reflect their security needs into their supply chains and the original upstream manufacturers.
More than 100 vulnerabilities
The collaboration between Alias Robotics and Trend Micro also includes both project cooperations and intelligence sharing in the field of robot cybersecurity. The companies will submit joint reports and release frequent collaborations with the Electronic Crimes Task Forces, including the Spanish Law Enforcement agencies, the Basque Cybersecurity Center or the U.S. Government Law Enforcement, among others.
“Security is a two-way street where both manufacturers and researchers must act responsibly. Our research shows that relevant manufacturers are still ignoring security flaws. Creating pressure towards more reasonably-timed fixes will result in smaller windows of opportunity for attackers to abuse vulnerabilities in robots. Given the direct physical connection with the world that robots have, we can’t accept the current many-years-old zero days. That's why we’re presenting this in Black Hat” Víctor Mayoral-Vilches claims.