It’s hard enough for CISOs to deal with humans in their enterprises. A new report from a security vendor warns increasingly they have to deal with cobots, slang for collaborative robots that work alongside peoples in workplaces.
The report, from researchers at IOActive, cites a study by the control and robotics laboratory at Montreal’s Ecole de technologie superieure (ETS) showing even a small model is powerful enough to harm a person beside it if it loses control. And it might for a number of reasons, including being hacked remotely if the cobot is connected to the public Internet.
The short version of this is that CISOs have to treat cobots like any other device that might connect to a public network, which includes conducting a risk assessment and talking to the manufacturers about the device’s operational code.
What the report says is — like SCADA devices also found in industry — manufacturers may not be using the best cyber security coding practices. In a blog today describing the report, researcher Lucas Apa says in one manufacturer’s cobots an attacker could chain vulnerabilities to remotely modify safety settings, violating applicable safety laws with the result nearby workers could be hurt.
Unlike robots, who operate in a fixed environment, cobots assist humans by seeing through HD cameras and listening through microphones. They can also be guided by operators. Cobots are already in use around the world, and while they will come with safety features they are machines and come with the threats all such devices have: Sharp instruments and the ability to use force.
The cobot analyzed by IOActive had a Linux source code. Briefly, researchers discovered an authentication vulnerability in the server-based management dashboard, exploited a stack-based buffer overflow, modified the safety.conf file, restarted the machine and them moved the cobot in a dangerous way.
This report is a follow-up to one Apa and fellow researcher Cesar Cerrudo did in January (link here. Registration required)  on home, business and industrial robots and cobots. In that paper they found  nearly 50 critical security issues. All were reported to manufacturers. Some have been patched, but this latest paper was issued because one vendor has been tardy.
“Once again, I see novel and expensive technology which is vulnerable and exploitable,” writes Apa. “A very technical bug, like a buffer overflow in one of the protocols, exposed the integrity of the entire robot system to remote attacks. We reported the complete flow of vulnerabilities to the vendors back in January, and they
have yet to be patched.”
The most obvious response from CISOs is to make sure industrial systems run on a segregated network fully protected from Internet attacks. But also the must check with manufacturers to ensure source code isn’t vulnerable.