Collaborative Robot Insecurities Exposed
In an act of transparency and commitment to security and safety, Acutronic Robotics allowed an in-depth analysis of MARA, its modular robotic arm. The study, conducted by Alias Robotics, reveals multiple weaknesses -most possibly shared by other robotic arms- that could have been exploited by malicious actors, compromising relevant safety mechanisms.
Acutronic Robotics has reacted ensuring security improvements and disclosing a threat model of MARA, a security shield that allows to protect the industrial arm. The first units of MARA, now protected like no other collaborative arm in the market, will be shipped to its first customers in the following weeks.
Researchers from Alias Robotics warn that most collaborative robots are totally insecure: “most manufacturers simply don’t think about security”.
Most cobots lack of security mechanisms
Collaborative robots (commonly referred as cobots), combine the benefits of human intelligence and skills with the advantage of sophisticated robotic technical systems. This new generation of robots focuses on establishing a joint workspace between humans and machines. To prevent any harm for humans, safety has the topmost priority. Security, however, often disregarded, is a necessary precondition for safety.
Most of the current available-in-the-market collaborative robots lack security mechanisms.Two robotics startups, Acutronic Robotics -providing modular robotic solutions - and Alias Robotics -delivering cybersecurity for robots- have partnered to analyze the state of security of these robots meant to collaborate with humans. The study has focused on MARA, an industrial-grade collaborative robotic arm that is modular, adopts new standards such as the Robot Operating System (ROS 2) and includes security mechanisms on each module.
A ‘security shield’ for MARA robotic arm
The results of the study have been made publicly available by Acutronic Robotics through the release of a ‘threat model’, a representation of all the aspects that affect the security of a robot in a particular application. This representation constitutes a ‘security shield’ that both engineers at Acutronic Robotics and its clients will use to reinforce the security of their solutions.
“Current available-in-the-market collaborative robots lack modularity and have followed a similar approach to traditional robots, enforcing vendor lock-in through a variety of techniques. Acutronic Robotics is one of the leading forces behind a new generation of collaborative robots. We care about real-time, safety and security. We’ve partnered with Alias Robotics to ensure that our robotic solutions are in constant challenge. This is the only way to deliver a secure and safe system.” says Víctor Mayoral, CEO of Acutronic Robotics.
Alias Robotics, a young security firm focused in robotics has been researching in this area and collaborating with manufacturers for the last year. In January, they released a tool to hunt for hackable robots connected to the Internet and demonstrated how to find more than 100 vulnerable robots in a few hours.
David Mayoral, CEO of Alias Robotics, claims that the overall situation is concerning:
“Security is a process, not a product. It needs to be assessed continuously. Robot manufacturers are completely ignoring it. Most robot vendors haven’t even considered security at all. Many claim that offering security is not their responsibility but the end-user’s. As robots get more introduced into joint workspaces, we foresee catastrophes. We applaud Acutronic Robotics’ attitude and encourage other manufacturers to consider security in their solutions.”
27 vulnerabilities found and mitigated
Besides the “threat model”, Alias Robotics found multiple weaknesses and 27 exploitable vulnerabilities in the robot. These vulnerabilities allowed an arbitrary attacker to remotely control the robot. This could seriously harm humans and/or cause considerable financial damage to equipment. Moreover, data and production secrets were compromised which could have lead to economic and strategic repercussions.
“Safety cares about the possible damage a robot may cause in its environment, whilst security aims at ensuring that the environment does not disturb the robot operation. Safety and security are connected matters and the lack of security has safety repercussions.”
says Víctor Mayoral who, besides leading Acutronic Robotics, is also an ISO national expert developing new standards for robots and participates in the ROS 2 Technical Steering Committee.
“Security by obscurity is not the right path and Alias Robotics demonstrated that. By working with them we’re ensuring that not only MARA, but our complete communication bus (H-ROS) is secured, helping companies create more reliable solutions”