Robot cybersecurity firm Alias Robotics cooperates with KUKA and several national authorities to disclose two relevant security vulnerabilities for robots
Press release (english) (spanish)
The Spanish robotics firm Alias Robotics, specialized in robot cybersecurity, has made public a short study case disclosing two vulnerabilities detected by their researchers in the robots of KUKA, one of lead manufacturers of robots in the world.
This case study is the result of a cooperation involving different parties and mediators including KUKA's Industrial Security Research & Development branch, the german Federal Cyber Security Authority (Bundesamt für Sicherheit in der Informationstechnik, BSI) or the Spanish National Cybersecurity Institute (INCIBE), among others.
For the last two months, Alias Robotics responsibly cooperated with these parties which delivered KUKA the security flaws for their consideration. At the time of writing KUKA has confirmed one of the flaws and is still working on the second one however more than 45 days have passed since their first notification so Alias Robotics decided to come public and release this information for the defensive cybersecurity community.
Víctor Mayoral Vilches, CTO at Alias Robotics:
"We strongly believe that the mantra of security-by-obscurity is never a good idea and encourage both manufacturers and end-users to both, adopt deadlines and apply a security first-approach in robotics. With the Industry 4.0, even air gapped systems are becoming less secure by the day. In an attempt to raise awareness without risking end-users, the disclosures for the KR C4 controller do not include details on their exploitation".
Alias Robotics made the disclosures in their Robot Vulnerability Database (RVD) and openly invited defenders to reach out. Moreover, Alias urges users, integrators and distributors of these systems to take security measures against these flaws immediately and to proactively perform security assessments like this one periodically to detect security flaws and prevent their robots from being easily targeted.
Endika Gil Uriarte, CEO at Alias Robotics added
"For full transparency, we'd like to convey the message that work remains to be done on these robots from a cyber security standpoint. As we often indicate, security is a process. Due budget limitations, we left untriaged more than a dozen identified security bugs that seemingly affect this robot controller and might compromise user's safety. We encourage robot users and organizations concerned about cyber security or safety to reach out".
More resources:
- KUKA security - penetration testing industrial robots https://aliasrobotics.com/case-study-pentesting-kuka.php
- Alias Robotics security F.A.Q. https://aliasrobotics.com/faq.php