As part of our commitment with security, Alias Robotics is glad to introduce the Robot Vulnerability Database (RVD), a community-contributed list of robot vulnerabilities and weaknesses.
This effort aligns with Alias' mission to "remove 0-days from robotics" and is the first public step we take towards implementing it. Briefly, we share the belief that vulnerability disclosure is a two-way street where both vendors and researchers, must act responsibly. We thereby adhere to a 90-day disclosure deadline for new vulnerabilities (read more about our disclosure policy here) while other flaws such as simple bugs or weaknesses could be filed at any point in time. We notify vendors of vulnerabilities immediately, cooperate with them and favour a coordinated disclosure where details are shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix.
This policy is strongly in line with our desire to improve the robotics industry response times to security bugs, but also results in softer landings for bugs marginally over deadline. According to our research, most vendors are ignoring security flaws completely. Similar to us, we call on all security researchers to adopt disclosure deadlines in some form, and feel free to use our policy verbatim (we've actually done so, from Google's) if you find our record and reasoning compelling. Creating pressure towards more reasonably-timed fixes will result in smaller windows of opportunity for blackhats to abuse vulnerabilities. Given the direct physical connection with the world that robots have, in our opinion, vulnerability disclosure policies such as ours result in greater security in robotics and an overall improved safety. A security-first approach is a must to ensure safe robotic operations.
The RVD is an attempt to register and record robot security bugs including both weaknesses and vulnerabilities (refer to Appendix A for terminology) The current content has been built over the past months and includes at the time of writing more than 280 flaws overall:
As contributors of ROS and ROS 2, we have create a particular section for ROS (currently only highlighting ROS 2 flaws) available here. We have committed resources to maintain this list and process flaws while reporting about the status of vulnerabilities at the corresponding ROS 2 Security WG meetings. We invite everyone in the community to contribute and help processing security flaws. Currently and as recorded by our team at RVD, ROS 2 presents 236 security weaknesses:
Over the coming months we expect to include several ROS and ROS 2 packages in our pseudo-automatic robot security pipelines and collaborate with maintainers while recording and addressing security vulnerabilities and weaknesses
We'd like to acknowledge and credit the support we received from the ROSin project which partially enabled the development of this work. In particular, RVD will be used to report the findings of ROSIN RedROS2-I and RedROS2-II FTPs, funded by the European Union’s Horizon 2020 research and innovation programme under the project ROSIN with the grant agreement No 732287.
Finally, a small disclaimer:
Alias Robotics provides robot security solutions in close collaboration with original robot manufacturers. By no means we encourage or promote the unauthorized tampering with running robotic systems. This can cause serious human harm and material damages.