Thesis · 2025
Abstract. Robots, integral to modern automation and services, encounter formidable cybersecurity challenges, primarily due to their inherent complexity and the lack of vendor accountability for security, shifting the burden to end-users. Offensive Robot Cybersecurity, the title of this thesis, introduces a groundbreaking approach by advocating for offensive security methods empowered by automation leveraging modern Artificial Intelligence. It emphasizes the necessity of understanding attackers' tactics and identifying vulnerabilities in advance to develop effective defenses, thereby improving robots' security posture. This endeavor leverages a decade of robotics experience, employing Machine Learning and Game Theory to streamline the vulnerability identification and exploitation process. Intrinsically, the thesis uncovers a profound connection between robotic architecture and cybersecurity, highlighting that the design and creation aspect of robotics deeply intertwines with its protection against attacks. Through comprehensive analysis — including ethical considerations, the development of security tools, and executing cyber attacks on robot software, hardware, and industry deployments — this thesis proposes a novel architecture for cybersecurity cognitive engines. Powered by advanced game theory and machine learning, these engines pave the way for autonomous offensive cybersecurity strategies for robots, marking a significant shift towards self-defending robotic systems. This research affirms, especially in the complex realm of robotics, that the best defense is a good offense.
This is the doctoral thesis of the lab's principal investigator, Víctor Mayoral-Vilches. Its argument is deceptively simple and, in robotics, still contrarian: the most effective way to protect a robot is to attack it first. Penetration testing, red teaming and the disciplined discovery of flaws before an adversary finds them are not a supplement to defense — they are its foundation. The work is an extended meditation on an old adage, the best defense is a good offense, applied to machines that move, weld, drive, and operate alongside people.
It begins by separating two words the robotics industry routinely conflates. Safety protects the environment from the robot — nothing bad happens by accident. Security protects the robot from its environment — nothing bad happens on purpose. Fifty years of industrial robotics have been built almost entirely around the first word; standards and vendors optimise for safety while treating security as someone else's problem. The thesis closes that gap, building on roughly a decade of core robotics experience and using Machine Learning and Game Theory to automate attacks — and, by automating them, to make defending robots economically feasible.
Complexity is the enemy of security, and robots are among the most complex systems humans build. A robot is a system of systems — a network of networks in which sensors feed compute nodes that drive actuators in hard real time, the whole behaving as a computational graph with data crossing processes and communication buses. That heterogeneity produces a wide attack surface and a long list of attack vectors that a conventional, perimeter-first defensive posture simply cannot cover.
Worse, robotics has never had a culture of security. The first robot programming languages — ABB's Rapid, KUKA's KRL, Fanuc's Karel — shipped with no security primitives, and modern frameworks such as ROS deliberately deferred security to third parties. Vendors, with few exceptions, forward the problem to the end-user. Compared head-to-head with IT, operational technology and IoT, robotics is the most demanding domain of all: ten-year-plus lifecycles, very poor security awareness, patching that is rare or impossible, hard real-time and safety constraints, and security testing that is largely absent.
The thesis is organised around one question: given the increasing complexity of robotic systems, how can we protect them from cyber-threats? It answers with two hypotheses. First, that this complexity — with its wide attack surface and many vectors — is tackled more effectively with an offensive security approach than a defensive one. Second, that an autonomous, end-to-end offensive assessment algorithm leveraging Machine Learning and Game Theory can overcome the scalability problem that limits red teaming and penetration testing today, where skilled human effort simply does not scale to a fleet.
Underlying both is a stance: security is a continuous process, not a product you buy once. The work proceeds bottom-up through four building blocks — the ethics and landscape of the field; the blueprints (defensive tools and frameworks); the attacks on real robot software, hardware and industry; and the automation that turns offense into an autonomous capability.
Robot cybersecurity is young. The first industrial cyber-physical system dates to 1962 and the first robot-caused human death to 1979 — but that was safety. Security attention only began around 2016, when independent groups (Lera in Spain, Dieber in Austria, White with SROS) warned that the Robot Operating System was fundamentally insecure — and almost all of that early work was defensive. Alias Robotics entered from 2018 with the opposite, offensive orientation, releasing a security-assessment framework, a robot-specific vulnerability-scoring mechanism, a robotics Capture-The-Flag environment, and the Robot Vulnerability Database (RVD).
Multi-year surveys of the ROS, PX4, ROS-Industrial and European Robotics Forum communities exposed a chronic investment gap: 73% of ROS respondents felt they had under-invested in security, yet only 26% had actually invested; most relied on generic perimeter defenses rather than robot-specific measures, and only 9% had ever witnessed an attack first-hand. In Europe, 86% placed responsibility for incidents on the supply chain — integrators and vendors — not end-users.
That responsibility is often unmet. Collaborative-robot makers Mobile Industrial Robots and Universal Robots left zero-days unmitigated for over a year; ABB patched some flaws in as little as two weeks but averaged more than four years. The thesis argues that the ratio of publicly disclosed to privately hoarded vulnerabilities is itself a measure of a manufacturer's security maturity — and contrasts a user-centric 90-day disclosure policy (tied to the RVD) with more opaque, vendor-centric alternatives that forced researchers to bypass the vendor and coordinate directly with national CERTs. To address the shortage of learning material, it also produced the open Robot Hacking Manual.
ROS 2 offloads its communications to the Data Distribution Service (DDS), a publish–subscribe middleware. SROS2 — a set of usable developer tools contributed by this work — hardens that nervous system through a repeatable six-step DevSecOps loop: introspect the computational graph, authenticate the nodes, authorize their access, generate the security artifacts, deploy them, and continuously monitor.
Under the hood it drives the DDS Security standard — a public-key infrastructure, mutual challenge-response authentication, AES-GCM encryption and AES-GMAC message authentication — mapping ROS-level permissions down onto DDS enclaves. A full case study secured a TurtleBot3's navigation and SLAM stacks and, in doing so, surfaced the limits of the tooling itself. Because DDS Security remains immature — with numerous open issues and its own CVEs — the thesis also demonstrates running an encrypted ROS 2 graph over a VPN as an additional, pragmatic layer of defense.
Security is never free, and the thesis measures the bill precisely. RobotPerf, an open, vendor-neutral benchmark for ROS 2 across CPUs, GPUs and FPGAs, was pointed at the cost of securing intra-robot communications. Over a million samples, DDS Security added 1.55× latency, a VPN 3.06×, and both together 4.19× over an unprotected baseline — turning 312 microseconds into 1,310. For a hard-real-time machine, that overhead is the difference between a control loop that meets its deadline and one that does not.
The answer is to buy the security back in silicon. RobotCore, an open architecture for hardware acceleration, extends ROS 2 across FPGAs and GPUs so that expensive operations can be offloaded without breaking the framework. Early dedicated robot-security accelerators cut intra-network ROS 2 latency to single-digit microseconds — on average more than 100× faster than the CPU software path, and, in worst-case maximum latency, more than 100,000× faster and deterministically bounded. Security you can actually afford at real-time.
To prove the offensive thesis, the work attacks the very middleware it hardened. DDS is not niche: beyond ROS 2 it underpins industrial manipulators, surgical robots, autonomous cars, railways, airports, spacecraft, military vehicles and NASA's launch control at Kennedy Space Center. An 18-month international effort dissected the DDS specification, its Real-Time Publish-Subscribe (RTPS) wire protocol, and the six most common implementations — OpenDDS, eProsima Fast-DDS, Eclipse Cyclone DDS, RTI Connext, GurumDDS and CoreDX. Because DDS is ROS 2's default transport, every flaw found also lands on ROS 2.
The campaign produced 13 new CVEs, including one in the standard specification itself: an RTPS network reflection/amplification weakness (discovered almost by accident by pointing a participant locator at 8.8.8.8), memory-corruption bugs in RTPS deserialization enabling denial of service or code execution, and XML-configuration parsing overflows. One implementation was found shipping a library abandoned since 2010 that carried sixteen known CVEs of its own.
Then they looked outward. A distributed internet-wide scan found more than 600 exposed DDS services across 34 countries, roughly 63% of them leaking private internal IP addresses, with one vendor's entire CI/CD pipeline reachable behind default credentials. The findings were coordinated with CISA into advisory ICSA-21-315-02. A proof-of-concept crashed the DDS layer of a TurtleBot3 in simulation and in the flesh — blinding its Lidar-based obstacle avoidance, a data-integrity bug turned directly into a physical-safety failure.
The hardware chapter argues for robot teardown — systematic disassembly — as a discipline for repair, for a Right to Repair, and for security research. Three Teradyne collaborative robots went under the screwdriver: the Universal Robots UR3 (CB3.1), the newer UR3e, and the Mobile Industrial Robots MiR-100.
The findings are damning by design. The UR3's safety logic ran on an NXP microcontroller whose own datasheet states it is not intended for safety- or life-critical use. The UR3e moved safety logic to an FPGA but changed the arm connector for no engineering reason other than to enforce planned obsolescence — the researchers showed the underlying power and RS-485 lines were still compatible and built sub-€20 adapters to bypass it, even driving a UR3e arm from a Raspberry Pi. Over two years the team found more than a hundred flaws across these machines, yielding 17 new CVEs disclosed through the RVD: root-level 'magic file' execution and unauthenticated dashboard control on Universal Robots; hardcoded credentials, default safety-PLC passwords that could disable safety, and a wholly exposed, unauthenticated ROS graph on the MiR. One MiR flaw was mitigated elegantly — by inserting an off-the-shelf SICK hardware firewall between controller and safety PLC, no firmware change required.
The industry chapter builds the weapon the field feared: Akerbeltz, described as the first proof-of-concept ransomware for industrial collaborative robots, prototyped against Universal Robots' best-selling UR3. Intrusion needed only physical access to the teach pendant's USB port (a root code-execution flaw) or an adjacent-network foothold. With root in hand, no privilege escalation was necessary — the robot's 'open' architecture allowed trivial lateral movement to hijack the PolyScope interface, disable the safety configuration, rotate credentials, and PGP-encrypt the robot's programs and intellectual property.
Penetration testing turned up more than 300 additional vulnerabilities along the way. The disclosure story is the point: emails, CVE filings, and even a recorded live attack on a UR3 on stage at the 2019 ROS-Industrial Conference in Stuttgart reportedly drew no formal security response, the vendor maintaining that the robot 'is designed to be open.' The thesis warns that far more destructive malware — self-destructing, or engineered to harm the humans nearby — is trivially achievable against machines built insecure by design.
Offense that depends on scarce human experts does not scale to a fleet; the final part automates it. The first question is which vector to attack. The thesis adapts a game called Cut-The-Rope to robotics. The battlefield is an attack graph — nodes are system states and vulnerabilities, edges are exploits, and one node is the asset to protect. Three assumptions make it realistic: the attacker is already inside at an unknown location (the quiet incubation phase of an advanced persistent threat), is stealthy (the defender gets no alarm and must treat every location as possible), and can push along all paths at once.
To cope with that uncertainty the defender imagines a whole cohort of attacker 'avatars', one starting from every node, all advancing on the asset. A defender move is a spot-check — clean malware, disable a service, rotate a credential — whose effect is transient: it 'cuts the rope', sending an avatar back down its path without permanently changing the graph. Solved as a zero-sum, infinite-horizon game, the optimal randomized checking rule is a Nash-equilibrium security strategy that bounds the attacker's worst case. On two supplied robot case studies it worked: for the MARA arm it cut the attacker's chance of reaching the asset to 12.8% against a 30.6% best-effort baseline; for the MiR100 mobile robot to 7.7% against 29.8%, and as low as 2.4% with well-timed checks. The non-obvious lesson: with no monitoring signal, defend the immediate neighbourhood of the asset — a defense-in-depth posture — rather than the outer perimeter, precisely because the intruder may already be deep inside.
If game theory chooses the target, machine learning drives the exploit. Conventional reinforcement learning did not generalise across cybersecurity's vast space of states and actions, so the thesis pivoted to Large Language Models. A benchmark of 13 targets and 182 sub-tasks put GPT-3.5, GPT-4 and Bard through an interactive penetration test: the models were strong at tool use, code analysis and recognising vulnerabilities, but collapsed on hard targets — above all losing the thread of a long engagement, a session-memory failure counted 74 times.
The fix, co-developed here, is PentestGPT, which mirrors a human pentest team across three LLM-backed modules: a Reasoning lead that maintains a novel Pentesting Task Tree — the whole engagement's state written in natural language, solving the memory problem — a Generation module that expands a chosen sub-task into concrete commands with chain-of-thought to curb hallucination, and a Parsing module that digests verbose tool output. It improved sub-task completion by 228.6% over GPT-3.5 and 58.6% over GPT-4; an ablation showed the reasoning tree is the load-bearing component. Turned loose on live HackTheBox machines it solved real targets for about $131 in API cost, placing it in the top ~1% of a 670,000-strong community. Open-sourced, it drew over 4,700 stars.
The pieces close into a loop. The proposed cybersecurity cognitive engine — codenamed Malism — takes a user's goal and lets ExploitFlow compose exploits while tracking the evolving system as an attack tree; the Cut-The-Rope game-theory module reasons over that tree to pick the optimal vector; PentestGPT turns the vector into step-by-step, executable actions; results feed back for execution, and PentestPerf benchmarks the whole flow. The result is a self-evolving, largely autonomous offensive-and-defensive framework a non-expert can run — a robot that assesses and defends itself.
The thesis lands on its maxim: robots become more secure by hacking themselves first. Along the way it reveals a deeper truth — that robotic architecture (the discipline of creation, shaping what a robot can do) and cybersecurity (the discipline of offense and defense, protecting what is built) are far more intimate than they appear; each of the earlier parts, from SROS2 to the teardowns to the MARA and MiR100 attacks, becomes the raw material the automation reasons over. The road ahead is to shrink Malism into an embedded, FPGA-accelerated form factor for real-time, on-device defense that no longer depends on vulnerable cloud services — and to carry the same offensive-first playbook beyond robots into autonomous vehicles, smart manufacturing and critical infrastructure. In robotics, as the work insists throughout, the best defense really is a good offense.
@phdthesis{mayoralvilches2025offensiverobot,
title = {Offensive Robot Cybersecurity},
author = {Víctor Mayoral-Vilches},
school = {Alpen-Adria-Universität Klagenfurt},
year = {2025},
eprint = {2506.15343},
archivePrefix= {arXiv},
url = {https://arxiv.org/pdf/2506.15343.pdf},
}