CANCUN, Mexico – A vulnerability in Softbank Robotics’ NAO and Pepper robots can lead to costly ransomware attacks that could cause robots deployed in businesses to stop working, curse at customers, or even perform violent movements.
The vulnerability was disclosed at Kaspersky Lab’s Security Analyst Summit by IOActive Labs. The security firm said that Softbank was notified of the vulnerability January 2017, but they aren’t aware of any available patches.
Lucas Apa and Cesar Cerrudo, researchers with IOActive Labs, told Threatpost that the vulnerability can open opportunities for ransomware attacks targeting sensitive in-transit information collected on the robot, like high-definition video feed, audio captured by up to four directional microphones, and payment or other business information running on the robots. Another critical ransomware target is downtime in robots – many businesses lose money every second one of their robots is nonoperational.
“It stands to reason, then, that service and/or production disruption is another strategy for attackers. Instead of encrypting data, an attacker could target key robot software components to make the robot non-operational until the ransom is paid,” according to an IOActive Labs whitepaper on the vulnerability, released at SAS on Friday.
The NAO and Pepper robots, priced around $10,000, are some of the most widely used research and education robots in the world, with 20,000 Pepper robots deployed in 2,000 businesses worldwide, and 10,000 NAO robots in use globally. These robots are used by an array of businesses, in the education, retail and industrial space – such as Sprint, which has started to use Pepper robots to assist customers at its U.S.-based retail stores.
In order to showcase the vulnerability, IOActive Labs built a PoC that targeted Softbank Robotics’ NAO robot, which could also be applied to the Pepper model. In order to deploy ransomware, the company exploited an undocumented function that allows remote command execution.
“This undocumented function allows executing commands remotely by instantiating a NAOqi object using the ALLauncher module and calling the internal _launch function,” according to IOActive Labs.
They then infected module files to change robot default operations, disable administration features, monitor video/audio and send it to a C2. From there, attackers can elevate privileges, change SSH settings, and change root passwords. To keep users from restoring the system uninstalling the ransomware, attackers can also disrupt the factory reset mechanism.
The attacker could then notify infection to command and control servers and infect all behavior files, which contain custom code to execute the main robot business or actions.
IOActive Labs said that by injecting custom Python code into any .xar behavior XML files executed on the robot, the robot behavior can be changed in a malicious way without even changing the project file.
The research company’s proof of concept indicates that the notion of ransomware will become much more costly – and potentially dangerous – when applied to the robots increasingly appearing in homes, education centers, businesses and industrial facilities.
“What’s more concerning is that robots can also make movements,” said Apa. “This ransomware could potentially compromise the robots and threaten human life if it could randomly hit out at an employee in the business.”
Part of the reason that ransomware attacks are so effective with robots is that they aren’t cheap or easy to factory reset to fix software or hardware problems, according to IOActive Labs’ Apa.
“Regular ransomware can be easily removed and data recovered with an available backup,” said Apa. “On the other hand, robot ransomware can’t be easily removed, the robots require specially trained technicians to repair problems, and non-operational downtime leads to lost production and revenue.”
IOActive Labs said that though its proof of concept ransomware targeted SoftBank’s Pepper and NAO, the same attack is possible on many robots from several vendors.
“Robot vendors should improve security as well as the restore and update mechanisms of their robots to minimize the ransomware threat. If robot vendors don’t act quickly, ransomware attacks on robots could cripple businesses worldwide,” said IOActive Labs’ report.