IOActive researchers Lucas Apa and Cesar Cerrudo say that the attackers are unlikely to go after data, as most of the data robots handle is in transit and only captured, retrieved, processed and transmitted to be stored in other endpoints.
They believe that hijacking robots and making it impossible for users to reset them to factory presets and remove “ransomware” without calling in the experts is the most likely approach attackers will take.
“Usually, when a robot malfunctions, you have to return it to the factory or employ a technician to fix it. Either way, you may wait weeks for its return to operational status,” they explained their reasoning.
“Businesses and factories lose money every second one of their robots is non-operational. Paying a ransom to quickly get the robots working again could be cheaper than the alternative. Due to these unique issues with robots, cybercriminals could ask for much higher ransoms than those requested for regular ransomware attacks.”
To prove what’s possible, the two researchers created a Proof of Concept exploit that takes advantage of a long-standing undocumented function in SoftBank’s NAO, a humanoid robot mostly used in research and education.
They exploited the vulnerability, and it allowed them to execute commands on the robot remotely by instantiating a NAOqi object using the ALLauncher module and calling the internal _launch function.
- Infected module files to change robot default operations, disable administration features, monitor video/audio and send it to a C&C via Internet
- Elevated privileges, changed SSH settings, changed the root password to disable remote access
- Disrupted factory reset mechanism in order to prevent the user restoring the system or uninstalling the ransomware
- Flagged the infection the to C&C server, and infected all behavior files.
The result? A robot that can’t be controlled by the user anymore and that asks for a ransom to be paid:
Robot vendors should improve security
They tested their PoC on a NAO robot, as they had one on hand, but say that because SoftBank’s business-oriented robot Pepper has nearly the same operating system and vulnerabilities, it is sure to work on it as well.
They informed SoftBank of their findings way back in January 2017, but they are “not aware of any fix available yet.”
“Though our proof of concept ransomware impacted SoftBank’s Pepper and NAO, the same attack is possible on almost any robot,” they added.
“Robot vendors should improve security as well as the restore and update mechanisms of their robots to minimize the ransomware threat. If robot vendors don’t act quickly, ransomware attacks on robots could cripple businesses worldwide.”