Morning Read: Hacking Robots Before Skynet
Welcome to the Morning Read, a daily post where I recommend and discuss a white paper, blog post, chapter of a book, or some sort of text I find useful for DFIR analysts.
Today’s Morning Read is Hacking Robots Before Skynet, a whitepaper published by Cesar Cerrudo and Lucas Apa at IOActive. You can find a copy of the paper here.
Overview
Overall, I thought this paper was an interesting read. I’m always into artificial intelligence/automated things, and I’ve got a few robots running around the house. Naturally, this article caught my interest as I wanted to make sure they weren’t going to become sentient anytime soon. Nonetheless, this was also a paper that begins to address something that we should all be concerned about: How are these amazing advances in technology being secured?
I’m glad the others didn’t focus on one particular vendor or model; they chose a wide range. The findings were as one with infosec experience might expect: there’s a lot of room for improvement.
Highlights
- “Reports forecast worldwide spending on robotics will reach $188 billion in 2020.” Holy shit.
- Vulnerabilities on vulnerabilities. The authors did a great job of comparing multiple vendors and models, which helped give them a good view of the field. They do note, however, that this “was not even a deep, extensive security audit”. As easily-assumed, they found dozens of vulnerabilities.
- Same old story. As mentioned above, vulnerabilities were abound. Some of these included insecure communications platforms, weak or no authentication/authorization, or weak defaults (don’t get me started on NoSQL).
- Consequences of a compromised robot. There is quite a bit of hypothesizing in this story, primarily (I think) because this knowledge is so new. But that doesn’t take away from the damage that these types of hacks could cause.
- Preparing for the (un)known. Without a doubt, my biggest highlight is that there is a growing industry teeming with technology that is currently unsecure. There’s a chance here to implement security right at the beginning, and offset a lot of headaches in the future. I think we need to make sure we’re educating developers as we go along.
Suggestions for Analysts
There were some interesting statistics in this report, especially ones attributing robot-related deaths (such as robotic military devices or botched surgeries). I can only imagine that with this type of risk on the line, it’s a matter of time before someone needs to be able to understand what the machine was doing at the time. I haven’t read up on what happens after a robot-related death — does the robotic company pay damages, or does the patient essentially sign away all rights?
Additionally, the vulnerabilities described in the paper will most likely yield to a party looking to exploit them for control.
Does the growth of robotics mean a new niche of DFIR? I’m not entirely sure. Maybe we all get familiar with minimal operating systems, decoding motor functions, and logging — assuming it’s even enabled. Or maybe someone builds a robot to investigate the robots. But then, who’s going to investigate the investigators? :)