Security firm exposes danger in popular home-help robots.
While the internet of things (IoT) presents numerous positives for society, from healthcare to infrastructure, many companies are in uncharted waters when it comes to the security of devices they hope to see people using in their homes, workplaces and public spaces.
In a perfect, and chilling, example of the security flaws present in these humanoid robots, ethical hackers have found that several models created by Universal Robots, SoftBank and UBTech Robotics are vulnerable to attack.
According to Bloomberg, Seattle cybersecurity firm IOActive found that the robots could easily be turned into surveillance devices, or even dangerous weapons, due to systemic vulnerabilities.
The Alpha 2, a UBTech offering, is touted as ‘the humanoid robot for all the family’, with features including housekeeping alarms, weather reports, and home security controls such as lights, locks and remote monitoring.
The robot itself is cute and looks friendly, which is what makes IOActive’s findings even more worrying.
The Alpha 2’s security system was simple for the IOActive team to hack, and disabling key safety features allowed it to repeatedly stab a tomato in a video uploaded by the company. These machines are large enough that, according to the report, “even running at low speeds, their force is more than sufficient to cause a skull fracture”.
As well as the potential, it seems, to inflict blunt force trauma, home robots can feasibly be used as in-house spies. IOActive found that SoftBank’s Pepper and NAO robots could record video and audio in secret, seamlessly sending this data to an external server.
IOActive was also able to remotely hack the Alpha models, and found that they didn’t encrypt private data captured before the storage and transmission stages, opening the doors to cybercrime.
In an email, IOActive principal security consultant Lucas Apa said: “If we know about these vulnerabilities, chances are that we’re not the only ones.”
Security flaws were preventable
The IOActive report described the security flaws in these seemingly family-friendly machines as “critical” and, crucially, easily preventable by following stricter cybersecurity practices.
In response, UBTech called the work “an exaggerated depiction” of its platform, and said the concerns had been fully addressed. Wired reported that SoftBank had also fixed the issues raised by IOActive.
An initial report by IOActive was released in March 2017, with details on how the hacks were carried out in an effort “to make the public aware of the risks and prod the manufacturers to fix the security flaws”, according to Bloomberg.
As IoT is still in its infancy, it’s clear from incidents such as this that more importance needs to be placed on the security of these devices, from the initial planning stages, all the way down to the market-ready products.
Neglecting infosec protocols can no longer be a company oversight.