Ransomware experiment shows the dangers of hacking robots
Ransomware, the act of demanding money by locking down devices and files, is not only a threat on phones or computers. It’s coming for robots, too.
Researchers at security firm IOActive have successfully conducted a ransomware attack on a SoftBank Robotics NAO humanoid robot.
Designed for schools and businesses, NAO and its more popular sibling Pepper are robots equipped with microphones and cameras. They’re typically used in classrooms, retail stores, and offices for customer assistance.
After installing ransomware on the robot, the security firm was able to get it to demand bitcoin. The researchers could modify system files and the robot’s behavior, such as forcing it to say threatening messages.
The team also noted a hacked robot’s potential ability to steal stored data, say curse words, or display controversial content such as pornography if it has a screen.
“Ransomware for robots is a real threat with potentially huge economic implications for businesses — even more than regular ransomware,” the researchers wrote in a report published Friday.
As robots become increasingly commonplace, from smart speakers like Amazon Echo to manufacturing plants, it’s a reminder of the threats that could disrupt our lives.
In IOActive’s case, the ransomware installation required the same Wi-Fi network as the robot. This means the hack had to take place nearby; if a robot is connected to a retail store’s public internet, a hacker would need access to its Wi-Fi network to compromise the device.
The experiment followed IOActive’s work last year that discovered 50 vulnerabilities in robots manufactured by a number of vendors, including SoftBank Robotics. To further their research, IOActive created a proof-of-concept ransomware attack on the NAO robot. Because it was developed in a similar way, the attack would also likely work on Pepper.
IOActive said researchers alerted SoftBank Robotics to the security issues in January 2017, but the company has not yet fixed the flaws.
“When in use of Pepper, we ask to maintain the wifi network security, and also to set the robot passwords correctly. We will continue to improve our security measures on Pepper, so we can counter any risks we may face,” the firm said in a statement.
The researchers said fixing a robot controlled by ransomware requires a specialized technician. A robot owner might have to send the robot back to the vendor for repairs, which could be costly.
The financial cost of general ransomware on businesses is significant. Small businesses can lose hundreds thousands of dollars and days of productivity due to disruptions in their services. At large corporations, the cost can be even higher.
Last year, the WannaCry ransomware attack shut down hospitals in the UK, which were forced to turn patients away due to computer issues. The malware also infected a Honda plant in Japan and disrupted vehicle production.
Although the IOActive research didn’t harm a business or consumer, it’s an example of the potential issues of robots and connected devices. The more gadgets become a part of the so-called Internet of Things (IoT) — which includes products like internet-connected lightbulbs, smart TVs and speakers — the more opportunities hackers have to conduct cyberattacks.
“Robots are IoT on steroids,” said Cesar Cerrudo, CTO at IOActive. “And the impact of ransomware is much bigger, as it directly affects business production and services.”