Last month, cybersecurity firm IOActive let everyone know that Segway MiniPro hoverboards were vulnerable to hacks and outside control via their Bluetooth connections. Now it has revealed that industrial robots from Universal Robots and consumer models from Softbank Group and UBTech Robotics also have some troubling security flaws that can allow hackers to "modify safety settings, violating applicable safety laws and, consequently, causing physical harm to the robot's surroundings by moving it arbitrarily," according to a report published by the company today.
The devices produced by Universal Robots are uncaged industrial robots meant to work with humans. Safety features are put in place to make sure working alongside the robots is safe for humans, but IOActive was able to override those features after hacking into the software. The company told Bloomberg that with these robots, "even running at low speeds, their force is more than sufficient to cause a skull fracture."
With Softbank's Pepper and NAO consumer robots, IOActive discovered that hackers can use them to record audio and video and transmit those recordings to an outside server. With UBTech's Alpha series, information captured by the models wasn't encrypted, making it pretty easy for someone with the right skills to steal it. And though they're not as big as the Universal Robot devices, the smaller consumer bots could still cause some harm. Check out the video below to see UBTech's cute Alpha 2 turn into a screwdriver-wielding, tomato-stabbing maniac.
IOActive informed the companies of the vulnerabilities it uncovered. "We contacted all the vendors in January but sadly there's little to suggest that the 50-plus vulnerabilities we demonstrated have been fixed," Lucas Apa, IOActive's principal security consultant told Bloomberg. "Most vendors were not forthcoming when we contacted them in private, so going public was the only option left available to us." Universal Robots told Bloomberg that it was aware of the report and that the products "undergo rigorous safety certification." SoftBank said it had patched the vulnerabilities found by IOActive.
"If we know about these vulnerabilities, chances are that we're not the only ones," said Apa. "These are early days for the robotics industry, but as it grows, we want to make sure it has a more secure future."
Update: UBTech sent us a response to IOActive's report and video of its Alpha 2 robot. The company's North America general manager, John Rhee, said in a statement, "UBTech has been made aware of a sensationalistic video produced by IOActive featuring the Alpha 2. The video is an exaggerated depiction of Alpha 2's open-source platform. UBTECH encourages its developer community to code responsibly and discourages inappropriate robot behavior."
He added, "UBTech is commited to maintaining the highest security standards in all of it's products. As a result the company has conducted a full investigation into the claims made in the IOActive report regarding the Alpha 2 robot. The Alpha 2 robot was designed to be on an open-sourced platform where developers are encouraged to program their robots with code. UBTech has fully addressed any concerns raised by IoActive that do not limit our developers from programming their Alpha 2"