breaking the laws of robotics
play

Breaking the Laws of Robotics Attacking Industrial Robots Davide - PowerPoint PPT Presentation

Dec 31, 2023 •192 likes •1.03k views

Breaking the Laws of Robotics Attacking Industrial Robots Davide Quarta , Marcello Pogliani , Mario Polino, Federico Maggi , Andrea M. Zanchettin, Stefano Zanero Industrial robots? Industrial Robot Architecture (Standards) Controller Flexibly

  1. Breaking the Laws of Robotics Attacking Industrial Robots Davide Quarta , Marcello Pogliani , Mario Polino, Federico Maggi , Andrea M. Zanchettin, Stefano Zanero

  2. Industrial robots?

  3. Industrial Robot Architecture (Standards) Controller

  5. Flexibly programmable & Connected

  6. Screenshot of teach pendant + formatted code snippet on the side

  7. “Implicit” parameters

  8. “Implicit” parameters

  9. Flexibly programmable & Connected (Part 1)

  10. They are already meant to be connected

  11. Services: USB port Well-known (FTP) + custom (RobAPI) LAN Attack surface Radio

  12. Connected Robots: Why? ● Now: monitoring & maintenance ISO 10218-2:2011 ● Near future: active production planning and control ○ some vendors expose REST-like APIs ○ … up to the use of mobile devices for commands ● Future: app/library stores ○ “Industrial” version of robotappstore.com?

  13. Connected? Do you consider cyber attacks against robots a realistic threat?

  14. Do you consider cyber attacks against robots a realistic threat?

  15. What consequences do you foresee?

  16. What are the most valuable assets at risk?

  17. impact is much more important than the vulnerabilities alone.

  18. How do we assess the impact of an attack against industrial robots?

  19. We assess impact by reasoning on requirements

  20. Requirements: "Laws of Robotics" Safety Accuracy Integrity

  21. Requirements: "Laws of Robotics" Safety Accuracy Integrity Acknowledgements T.U. Munich, YouTube -- Dart Throwing with a Robotic Manipulator

  22. Requirements: "Laws of Robotics" Safety Accuracy Integrity

  23. Robot-Specific Attack Safety violating any of these Accuracy requirements via a digital vector Integrity

  24. Control Loop Alteration Attack 1 Safety Accuracy Integrity

  25. Control Loop Alteration Attack 1 Safety Accuracy Integrity

  26. Control Loop Alteration Attack 1 Safety Accuracy Integrity

  28. Calibration Tampering Attack 2 Safety Accuracy Integrity

  29. Calibration Tampering Attack 2 Safety Accuracy Integrity

  30. Production Logic Tampering Attack 3 Safety Accuracy Integrity

  31. Production Logic Tampering Attack 3 Safety Accuracy Integrity

  32. Displayed or Actual State Alteration Attacks 4+5 Safety Accuracy Integrity

  33. Displayed or Actual State Alteration Attacks 4+5 Safety Accuracy Integrity

  34. Displayed State Alteration PoC Malicious DLL Teach Pendant

  35. Displayed State Alteration PoC Malicious DLL Teach Pendant

  36. Is the Teach Pendant part of the safety system?

  37. Is the Teach Pendant part of the safety system? NO

  38. Are the standard safety measures too limiting?

  39. Do you "customize" the safety measures in your deployment?

  40. Standards & Regulations vs. Real World

  41. ...so far, we assumed the attacker has already compromised the controller...

  42. … let’s compromise the controller!

  43. Services: USB port Well-known (FTP) + custom (RobAPI) LAN Attack surface Radio

  44. VxWorks 5.x RTOS (PPC) VxWorks 5.x FTP, RobAPI, ... RTOS (x86) Windows CE (ARM) .NET >=3.5

  45. User Authorization System User ∈ roles → grants Authentication: username + password Used for FTP, RobAPI, …

  46. User Authorization System

  47. User Authorization System tl;dr; read deployment guidelines & deactivate the default user

  48. Update problems FlexPendant Axis Computer Microcontrollers

  49. Update problems FlexPendant Axis Computer Microcontrollers How? FTP at boot .... plus, no code signing, nothing

  50. Update problems FlexPendant Axis Computer Microcontrollers FTP? Credentials? Any credential is OK during boot! ABBVU-DMRO-124644

  51. Autoconfiguration is magic!

  52. Autoconfiguration is magic! ABBVU-DMRO-124642

  53. Enter /command FTP RETR /command/whatever read system info FTP STOR /command/command execute “commands” ABBVU-DMRO-124642

  54. Enter /command FTP RETR /command/whatever read system info FTP STOR /command/command execute “commands” ABBVU-DMRO-124642

  55. Enter /command FTP GET /command/whatever read, e.g., env. vars FTP PUT /command/command execute “commands” shell reboot shell uas_disable + hard-coded credentials? → remote command execution ABBVU-DMRO-124642

  56. Enter /command Let’s look at cmddev_execute_command : shell → sprintf(buf, "%s", param) other commands → sprintf(buf, "cmddev_%s", arg) overflow buf (on the stack) → remote code execution ABBVU-DMRO-128238

  57. Other buffer overflows Ex. 1: RobAPI ● Unauthenticated API endpoint ● Unsanitized strcpy() → remote code execution Ex. 2: Flex Pendant ( TpsStart.exe ) ● FTP write /command/timestampAAAAAAA … ..AAAAAAA ● file name > 512 bytes ~> Flex Pendant DoS ABBVU-DMRO-124641, ABBVU-DMRO-124645

  58. Takeaways Some memory corruption Mostly logical vulnerabilities All the components blindly trust the main computer (lack of isolation)

  59. Complete attack chain (1)

  60. Complete attack chain (2)

  61. Complete attack chain (3)

  62. File protection “Sensitive” files: ● Users’ credentials and permissions ● Sensitive configuration parameters (e.g., PID) ● Industry secrets (e.g., workpiece parameters)

  63. File protection “Sensitive” files: ● Users’ credentials and permissions ● Sensitive configuration parameters (e.g., PID) ● Industry secrets (e.g., workpiece parameters) Obfuscation : bitwise XOR with a “random” key. Key is derived from the file name. Or from the content. Or …

  64. That’s how we implemented the attacks

  65. Attack Surface ?

  66. Flexibly programmable & Connected (Part 2)

  68. Ethernet Wireless

  69. WAN

  70. Remote Exposure of Industrial Robots Search Entries Country ABB Robotics 5 DK, SE FANUC FTP 9 US, KR, FR, TW Yaskawa 9 CA, JP Kawasaki E Controller 4 DE Mitsubishi FTP 1 ID Overall 28 10 Not so many... (yesterday I've just found 10 more)

  71. Remote Exposure of Industrial Routers ...way many more! Unknown which routers are actually robot-connected

  72. Typical Issues Trivially "Fingerprintable" ● Verbose banners (beyond brand or model name) ● Detailed technical material on vendor’s website ○ Technical manual: All vendors inspected ○ Firmware: 7 /12 vendors

  73. Typical Issues (1) Outdated Software Components ● Application software (e.g., DropBear SSH, BusyBox) ● Libraries (including crypto libraries) ● Compiler & kernel ● Baseband firmware

  74. Typical Issues (2) Insecure Web Interface ● Poor input sanitization ● E.g., code coming straight from a "beginners" blog Cut & paste

  75. Bottom line Connect your robots with care (follow security best practices & your robot vendor’s guidance)

  76. Conclusions

  77. Black Hat Sound Bytes Robots are increasingly being connected Industrial robot-specific class of attacks Barrier to entry: quite high , budget-wise

  78. What should we do now? Vendors are very responsive As a community we really need to push hard for countermeasures

  79. Hints on Countermeasures Short term Attack detection and deployment hardening Medium term System hardening Long term New standards, beyond safety issues

  80. Questions? Davide Quarta Marcello Pogliani Federico Maggi davide.quarta@polimi.it marcello.pogliani@polimi.it federico_maggi@trendmicro.com @_ocean @mapogli @phretor Papers, slides, and FAQ http://robosec.org — http://bit.ly/2qy29oq

  81. Questions?

  82. Breaking the Laws of Robotics Attacking Industrial Robots Davide Quarta , Marcello Pogliani , Mario Polino, Federico Maggi , Andrea M. Zanchettin, Stefano Zanero

Recommend

Breaking the Laws Of Robotics @TR18 Davide Quarta @_ocean Marcello Pogliani @mapogli Mario

Breaking the Laws Of Robotics @TR18 Davide Quarta @_ocean Marcello Pogliani @mapogli Mario

Breaking the Laws Of Robotics @TR18 Davide Quarta @_ocean Marcello Pogliani @mapogli Mario Polino @jinblackx Federico Maggi @phretor Stefano Zanero @raistolo https://mg-iii.deviantart.com/art/I-Robot-54308587 8 Industrial robots?

1.11k views • 86 slides
i.e., Higgs? 1 Understanding Electroweak Symmetry breaking is essential for significant progress

i.e., Higgs? 1 Understanding Electroweak Symmetry breaking is essential for significant progress

Symmetry is fundamental to our understanding of the basic laws of physics Mass is always associated with symmetry breaking Easier to discover the symmetry: e.g. SU(2) x U(1) Harder to discover the symmetry breaking mechanism, i.e., Higgs? 1

862 views • 24 slides
MP2: Ancient Mine Exploration By: Rohan Tabish What have we learned so far ? Recap - Asimov Laws

MP2: Ancient Mine Exploration By: Rohan Tabish What have we learned so far ? Recap - Asimov Laws

MP2: Ancient Mine Exploration By: Rohan Tabish What have we learned so far ? Recap - Asimov Laws for Robotics Recap - Asimov Laws for Robotics Recap - Asimov Laws for Robotics What kinds of robots we want? What kinds of robots we want?

487 views • 35 slides
Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Dr Nick Saville Breaking out of the box Understanding rela5onships between learning and assessment Breaking out of the box - a metaphor for thinking about rela5onships and interpreta5ons breaking out breaking out of the box of the

895 views • 68 slides
AI and Robotics Search Techniques in AI and Robotics AI Robotics AAAI,IJCAI ICRA, IROS

AI and Robotics Search Techniques in AI and Robotics AI Robotics AAAI,IJCAI ICRA, IROS

AI and Robotics Search Techniques in AI and Robotics AI Robotics AAAI,IJCAI ICRA, IROS ICAPS, AAMAS lots of smaller conferences Sven Koenig University of Southern California skoenig@usc.edu The symposium is supported by NSF! e.g. search

400 views • 5 slides
Three New Laws of AI Qiang Yang CAIO, WeBank, Chair Professor, HKUST 2020.7

Three New Laws of AI Qiang Yang CAIO, WeBank, Chair Professor, HKUST 2020.7

Three New Laws of AI Qiang Yang CAIO, WeBank, Chair Professor, HKUST 2020.7 https://www.fedai.org/ 1 Three Laws of Robotics Asimov First Law: A robot may not injure a human being, or through interaction, allow a human being to

1.08k views • 56 slides
Extractive Laws in Africa: What is the state of these laws? Why are our laws a problem? Why and on

Extractive Laws in Africa: What is the state of these laws? Why are our laws a problem? Why and on

Extractive Laws in Africa: What is the state of these laws? Why are our laws a problem? Why and on what should we call for reforms? Yao Graham s speaking notes at 2018 Alternative Mining Indaba 1. Greetings to all. Gratitude to organisers for

605 views • 6 slides
Mobile & Service Robotics Mobile & Service Robotics Sensors for Sensors for Robotics

Mobile & Service Robotics Mobile & Service Robotics Sensors for Sensors for Robotics

Mobile & Service Robotics Mobile & Service Robotics Sensors for Sensors for Robotics Sensors for Sensors for Robotics Robotics 1 Robotics 1 An Example of robots with their sensors 2 Basilio Bona Robotica 03CFIOR 2011 Another

583 views • 20 slides
ROBOTICS 01PEEQW Basilio Bona DAUIN Politecnico di Torino What is Robotics? Robotics

ROBOTICS 01PEEQW Basilio Bona DAUIN Politecnico di Torino What is Robotics? Robotics

18/02/2015 ROBOTICS 01PEEQW Basilio Bona DAUIN Politecnico di Torino What is Robotics? Robotics studies robots For history and definitions see the 2013 slides

357 views • 7 slides
Mobile & Service Robotics Mobile & Service Robotics Sensors for Robotics Sensors for

Mobile & Service Robotics Mobile & Service Robotics Sensors for Robotics Sensors for

Mobile & Service Robotics Mobile & Service Robotics Sensors for Robotics Sensors for Robotics 2 Sensors for Robotics Sensors for Robotics 2 Sensors for mobile robots Objectives: perceive, analyze and understand the environment

561 views • 42 slides
ROBOTICS 01PEEQW Basilio Bona DAUIN Politecnico di Torino What is Robotics? Robotics

ROBOTICS 01PEEQW Basilio Bona DAUIN Politecnico di Torino What is Robotics? Robotics

ROBOTICS 01PEEQW Basilio Bona DAUIN Politecnico di Torino What is Robotics? Robotics studies robots For history and definitions see the 2013 slides

702 views • 14 slides
From Robotic Systems to Robotics-grounded AI Systems Maxim Likhachev Robotics Institute &

From Robotic Systems to Robotics-grounded AI Systems Maxim Likhachev Robotics Institute &

From Robotic Systems to Robotics-grounded AI Systems Maxim Likhachev Robotics Institute & NREC Carnegie Mellon University Transitioning Robotics Systems into the Real World Lots of progress in the last decade, with various robotics

416 views • 9 slides
Overview n Perception for robotics Page 1 Overview n Perception for robotics Overview

Overview n Perception for robotics Page 1 Overview n Perception for robotics Overview

Perception for Robotics: Instance Detection Pieter Abbeel UC Berkeley EECS Overview n Perception for robotics Page 1 Overview n Perception for robotics Overview n Perception for robotics n Accurately localizing (specific)

532 views • 22 slides
Robotics Engineering Prof. Michael Gennert Robotics Engineering Program Director Fall 2016

Robotics Engineering Prof. Michael Gennert Robotics Engineering Program Director Fall 2016

Robotics Engineering Prof. Michael Gennert Robotics Engineering Program Director Fall 2016 Robotics Education Gap Robotics Research PhD @ Large Research Robotics University Engineering Industrial Robotics Technology AA, AS @ Making

945 views • 22 slides
The Robot Operating System (ROS) Introduction, Concepts and Examples Stefano Rosa, 8/5/2015

The Robot Operating System (ROS) Introduction, Concepts and Examples Stefano Rosa, 8/5/2015

Robotics Research Group Politecnico di Torino The Robot Operating System (ROS) Introduction, Concepts and Examples Stefano Rosa, 8/5/2015 Mobile robotics Robotics Service robotics Service robotics Industrial robotics Exploration robotics

1.37k views • 63 slides
ROBOTICS ROBOTICS A brief history A brief history Basilio Bona ROBOTICA 03CFIOR 1 Outline

ROBOTICS ROBOTICS A brief history A brief history Basilio Bona ROBOTICA 03CFIOR 1 Outline

ROBOTICS ROBOTICS A brief history A brief history Basilio Bona ROBOTICA 03CFIOR 1 Outline A brief history of robotics What is a robot and what is robotics Classification of robotic applications Industrial robotics

467 views • 35 slides
I ntroduction to Mobile Robotics Probabilistic Robotics Wolfram Burgard 1 Probabilistic

I ntroduction to Mobile Robotics Probabilistic Robotics Wolfram Burgard 1 Probabilistic

I ntroduction to Mobile Robotics Probabilistic Robotics Wolfram Burgard 1 Probabilistic Robotics Key idea: Explicit representation of uncertainty (using the calculus of probability theory) Perception = state estimation Action

489 views • 36 slides
Parsing OSM XML iD OSMCha To-Fix Frontend Developer kepta kushan2020 Breaking down iD

Parsing OSM XML iD OSMCha To-Fix Frontend Developer kepta kushan2020 Breaking down iD

Parsing OSM XML iD OSMCha To-Fix Frontend Developer kepta kushan2020 Breaking down iD Breaking down iD 15% Rendering Painting 21% Javascript 64% HTML A sample of what iD is doing behind the scenes Breaking down JS 13% Draw Vector

426 views • 27 slides
ROBOTICS 01PEEQW Basilio Bona DAUIN Politecnico di Torino What is Robotics? Robotics is

ROBOTICS 01PEEQW Basilio Bona DAUIN Politecnico di Torino What is Robotics? Robotics is

ROBOTICS 01PEEQW Basilio Bona DAUIN Politecnico di Torino What is Robotics? Robotics is the study and design of robots Robots can be used in different contexts and are classified as 1. Industrial robots 2. Humanoid & biomimetic

596 views • 40 slides
W hat is Robotics Robotics is the science that studies robots and the CY 02CFI C technology

W hat is Robotics Robotics is the science that studies robots and the CY 02CFI C technology

W hat is Robotics Robotics is the science that studies robots and the CY 02CFI C technology that builds them CFI DV Robotics started its development during WWII (Manhattan project) CA 01C Robots (seen as an artificial beings)

447 views • 28 slides
15-MAR-2019 ABB Robotics for UiS Jan Christian Kerlefsen, ABB Robotics, Norway ABB

15-MAR-2019 ABB Robotics for UiS Jan Christian Kerlefsen, ABB Robotics, Norway ABB

15-MAR-2019 ABB Robotics for UiS Jan Christian Kerlefsen, ABB Robotics, Norway ABB Robotics Globally Bryne Employees: ~ 6.000 Employees: 65 employees Industrial robots sold: 40-50.000 per year Mandate: Research &

325 views • 8 slides
THE MSSM FROM SS BREAKING MARIANO QUIROS, ICREA/IFAE HEP 2006 THE MSSM FROM SS BREAKING

THE MSSM FROM SS BREAKING MARIANO QUIROS, ICREA/IFAE HEP 2006 THE MSSM FROM SS BREAKING

THE MSSM FROM SS BREAKING MARIANO QUIROS, ICREA/IFAE HEP 2006 THE MSSM FROM SS BREAKING p.1/31 OUTLINE Introduction Higgs sector Tree-level masses EWSB and fine-tuning Supersymmetric spectrum Dark

361 views • 34 slides
Socially Assistive Robotics Grace Chandler Socially assistive robotics (SAR): An intersection

Socially Assistive Robotics Grace Chandler Socially assistive robotics (SAR): An intersection

Socially Assistive Robotics Grace Chandler Socially assistive robotics (SAR): An intersection between assistive robotics and socially intelligent robotics, often for a therapeutically beneficial role TEACHING: MITs Tenga- A second language

734 views • 47 slides
Robotics in Healthcare Dr Marcelo H Ang Jr mpeangh@nus.edu.sg Advanced Robotics Centre National

Robotics in Healthcare Dr Marcelo H Ang Jr mpeangh@nus.edu.sg Advanced Robotics Centre National

14 Aug 2018 SHM 2018 Robotics in Healthcare Dr Marcelo H Ang Jr mpeangh@nus.edu.sg Advanced Robotics Centre National University of Singapore Moment of Great Opportunities 2000s 1980s, 1990s 2 Toward Everyday Robotics Structured

680 views • 36 slides

More recommend