Cybersecurity Roboticsthe leading robot cybersecurity lab

The Robot Security Framework (RSF): a methodology to assess robot security

arXiv · 2018

Abstract. Robots have gained relevance in society, increasingly performing critical tasks. Nonetheless, robot security is being underestimated. Robotics security is a complex landscape, which often requires a cross-disciplinary perspective to which classical security lags behind. To address this issue, we present the Robot Security Framework (RSF), a methodology to perform systematic security assessments in robots. We propose, adapt and develop specific terminology and provide guidelines to enable a holistic security assessment following four main layers (Physical, Network, Firmware and Application). We argue that modern robotics should regard as equally relevant internal and external communication security. Finally, we advocate against ”security by obscurity”. We conclude that the field of security in robotics deserves further research efforts.

Full text transcribed from the arXiv (ar5iv) HTML of the original paper.

Abstract

Robots have gained relevance in society, increasingly performing critical tasks. Nonetheless, robot security is being underestimated. Robotics security is a complex landscape, which often requires a cross-disciplinary perspective to which classical security lags behind. To address this issue, we present the Robot Security Framework (RSF), a methodology to perform systematic security assessments in robots. We propose, adapt and develop specific terminology and provide guidelines to enable a holistic security assessment following four main layers (Physical, Network, Firmware and Application). We argue that modern robotics should regard as equally relevant internal and external communication security. Finally, we advocate against ”security by obscurity”. We conclude that the field of security in robotics deserves further research efforts.

Introduction

Robots are going mainstream. From assistance and entertainment robots used in homes, to those working in assembly lines in industry and all the way to those deployed in medical and professional facilities. For many, robotics is called to be the next technological revolution. Yet, similar to what happened at the dawn of the computer or the mobile phone industries, there is evidence suggesting that security in robotics is being underestimated. Even though the first dead human from a robot happened back in 1979 , the consequences of using these cyber-physical systems in industrial manufacturing , professional or commercial environments are still to trigger further research actions in the robotics security field.

Over the last 10 years, the domains of security and cybersecurity have been substantially democratized, attracting individuals to many sub-areas within security assessment. According to recent technical reports summarizing hacker activity per sector , most security researchers are currently working assessing vulnerabilities in websites (70.8%), mobile phones (smartphones, 5.6%) and Internet of the Things (IoT) devices (2.6%), amongst others. Notwithstanding the relevance of robot vulnerabilities for most sectors of application, no formal study has yet published relevant data about robotics nor seems to be an active area of research. We believe that the main reasons for this gap are twofold. In a first aspect, security for robots is a complex subject from a technological perspective. It requires an interdisciplinary mix of profiles, including security researchers, roboticists, software engineers and hardware engineers. In a second aspect and to the best of our knowledge, there are few guidelines, tools and formal documentation to assess robot security . Overall, robot security is an emerging challenge that needs to be addressed immediately.

In an attempt to provide a solution for the second problem, this paper presents the Robot Security Framework (RSF), a systematic methodology for performing security assessments in robotics. We argue that security, privacy and safety in robotic systems should clearly be recognized as a major issue in the field. Our framework proposes a standardized methodology to identify, classify and report vulnerabilities for robots within a formal operational protocol. Throughout the description of the RSF, we present exemplary scenarios where robots are subject to the security issues hereby exposed.

The sections below are organized as follows: Section 2 describes previous work in the field of security for robots. Section 3 elaborates upon the proposed framework. Finally, Section 4 draws major conclusions out of our work.

Previous work

Robot security is becoming a concern that extends rapidly. However, to date, and as already briefed in the Introduction section, there are few honest and laudable efforts that elaborate into methodologies for analyzing robot’s security or cybersecurity. The most relevant of those pioneering contributions is Shyvakov’s work . Him and collaborators aimed to develop a preliminary security framework for robots, described from a penetration tester’s perspective. The cited research piece is, to the best of our knowledge, the best piece of literature addressing robot security concerns. Nonetheless, on the basis of the content and structure of that particular work, we largely found motivation for the present work. We found extremely relevant to review, discuss, complete it, and motivate the full picture assessment from a robotics standpoint.

The author’s classification proposed 4 levels of security: a) physical security, b) network security, c) operating system security and d) application security. However, we find that the author lacks to some extent, the background knowledge related to the robotics field, particularly regarding the internal organization of these systems. For instance, he states that robots have ”internal networks for wiring together internal components (nodes), yet, these networks miss the fact that each is a security critical element which can potentially influence the overall robot security”. Shyvakov even includes a brief category, devoted to internal networks, within his proposed framework. However, under the assumption that ”normal user is usually not supposed to connect to the internal network”, he advises that of cases where ”it is not possible to implement full network monitoring due to hardware limitations but provides no further details on the rationale. By claiming that At least there should be a capability to detect new unauthorized devices on the network” he suggests the idea that dedicated robot network security is needed. Moreover, the author discusses that ”thresholds on IDS of the internal network should be lower than on the external network” but provides no additional foundation for such a claim. We argue that such approach would lead to an incomplete security framework by obscurity. We also believe that modern robotics should converge towards enforcing identical security levels on both inner and outer communication interfaces. Therefore, we advocate for an holistic approach to robot security on the communications level into which we will elaborate.

In an attempt of providing real use-case scenarios, the author recommends a preliminary implementation of the framework and provides exemplification for real robots, yet this particular part of his work remains hidden or sanitized. Even if the reasons behind this to be kept confidential may include the interest of robot manufacturers or stakeholders, it does little favour for actual enforcement of any security framework. Therefore, we find it necessary to provide illustrative real public cases whereto any framework may be applied.

Other contributions to robot security, have primarily focused upon providing only partial contributions, e.g. hardening particular aspects of robots, such as middleware , and elaborated on further efforts towards the application aspect or the lower communication aspects .

Recently, some pieces of research such as have brought focus onto the necessity of a framework for the evaluation of IoT device security. Such existing frameworks were targeted by and duly criticized as not suitable due to incompleteness. We share the view that IoT frameworks are not applicable nor valid to provide guidance into the assessment of security to the robotics landscape. It is a common misconception that robots are a particular subset of IoT devices. Due to the fact that robots are often orders of magnitude more complex than common IoT devices, robots are to be considered, if any, a sophistication of a ”network of computers”, consisting of a distributed logic working in an array of sensors, actuators, power mechanisms, user interfaces and other modules that have particular connectivity and modularity requirements. Other recent researches such as claim to perform structured security assessment of a particular IoT robot. Yet, all these aforementioned pieces of research remain, in our opinion, very partial and not stablishing the. Therefore, we find it necessary to systematize assessment by further elaborating on a common and universal reference procedure for robotic systems.

Inspired by the current state of the art, inter alia , we propose the subsequent Robot Security Framework (RSF). We also extend the initial ideas presented in prior art and add our contribution from a roboticist’s perspective. Our main contributions on top of previous work are:

We believe that an integrated approach needs to be adopted to enable a mechanistic understanding that empowers reliable assessment of robot security. To this end, the following section describes our framework.

The Robot Security Framework

We hereby propose a framework based on four layers that are relevant to robotic systems. We subsequently divide them into aspects considered relevant to be covered. Likewise, we provide relevant criteria applicable for security assessment. For each of these criteria we identify what needs to be assessed (objective), why to address such (rationale) and how to systematize evaluation (method), as summarized in Figure 1.

Refer to caption
Figure 1: The Robot Security Framework standardized methodology: RSF is formed by 4 layers (physical, network, firmware, application) where relevant aspects are identified. Each aspect has different evaluation criteria which are analyzed by three points: (1) objective or description of the evaluation, (2) rationale or importance of such aspect and (3) method or systematic action plan.

Physical – layer

Refer to caption
Figure 2: The a) Physical layer identifies the b) Ports and Components aspects, which have been analyzed with the corresponding c)criteria.

Ports – aspect

Exemplary robot scenario 1 Physical security, exploitation of communication ports in robots

As reported by Cerrudo et al. , physical attacks are possible when adversaries can access to the robot’s hardware or mechanics to modify its behaviour or set up a persistent threat. Often, robots expose external ports. Such is the case of robots like Rethink Robotics’ Baxter, Universal Robots’ UR3 or Aldebaran Robotics’ (acquired by Softbank Robotics) Pepper. In their study, Cerrudo and Apa present and demonstrate three main threats for exposed connectivity ports: USB ports, Ethernet ports and power ports. The authors present examples where each one of these threats are systematically exploited. Surprisingly, in some cases, critical damage to the robot can be caused by solely connecting a USB dongle .

Components – aspect:

Network – layer

Refer to caption
Figure 3: The Network layer includes the Internal robot network and External network aspects, which have been analyzed with the corresponding criteria.

Internal robot network – aspect:

Exemplary robot scenario 2 Internal robot network security

External network – aspect:

Exemplary robot scenario 3 Unauthorized Modbus read and write requests

As reported by Cerrudo and Apa , Universal Robots’ UR3, UR5 and UR10 have a default Modbus service (port 502) that does not provide authentication of the source of a command. According to the authors, ”an adversary may attempt to corrupt the robot in a state to negatively affect the process being controlled. An attacker with IP connectivity to the robot can issue Modbus write requests. This could change the state of the robot, make it interoperable, or send requests to actuators to change the state of the joints being controlled.”

Exemplary robot scenario 4 Network fingerprinting of robots

Firmware – layer

Refer to caption
Figure 4: The Firmware layer includes the Operating System, Middleware and Firmware aspects, which have been analyzed with the corresponding criteria.

Operating System (OS) – aspect

Middleware – aspect

Firmware – aspect

Exemplary robot scenario 5 Insecure firmware upgrade in Nao and Pepper robots

As reported by Cerrudo and Apa , Softbank Robotics’ Nao and Pepper robots are subject to a firmware upgrade vulnerability due to insecure firmware upgrade mechanism. According to the authors, ”It is possible to upgrade system components with unsigned firmware images by skipping the signature integrity check.” This vulnerability applies to Softbank’s NAOqi framework, a proprietary robot programming framework used in Softbank Robotics’ products. In particular, NAOqi 2.1.4.13 (NAO), NAOqi 2.4.3.28 (Pepper) and NAOqi 2.5.5.5 (Pepper) have been found vulnerable.

Application – layer

Refer to caption
Figure 5: The Application layer includes the Authorization, Privacy, Integrity, Accounts,Communication, 3rd party libraries and components and Control center application aspects, which have been analyzed with the corresponding criteria.

Authorization – aspect

Privacy – aspect

Integrity – aspect

Accounts – aspect

Communication – aspect

3rd party libraries and components – aspect

Control center application – aspect

Exemplary robot scenario 6 Android application updates in UBTech Robotics’ robots

According to Cerrudo and Apa , UBTech Robotics’ Alpha 1S robot is subject to a vulnerability when updates are triggered from its official Android application. The authors report that ”the Alpha 1S android application does not verify any cryptographic signature when downloading and installing the APK update into the mobile device. Furthermore, due to ’App-to-Server Missing Encryption’ it is possible to perform a man-in-the-middle attack in order to change the APK URL and install a customized malware on the device.”

Conclusions and future work

Robot privacy, integrity and security should be major concerns in a society that increasingly relies on such cyber-physical systems. Few honest efforts have been conducted to address robot security systematics. However, a deep understanding of the discipline’s landscape, along with vast cross-disciplinary approaches, is crucial to provide an integrated security assessment for robotics. The research work herein presents the Robot Security Framework (RSF): a standardized methodology that enables holistic evaluation of robot security. Furthermore, RSF is provided with illustrative practical real-world examples. Following a roboticist’s security approach, our contribution aims at shedding light onto the robot security scene, an area which has remained obscure insofar. Now as then, as well as for the future, we are convinced that a reliable, reproducible and systematic security assessment is a must in any modern use-case of robotics.

Future research is envisioned with regard to constant improvement and testing of RSF. An open source template of our security framework is available at http://github.com/aliasrobotics/RSF and licensed under GPLv3. We kindly invite security researchers, robotic researchers and analysts to review, challenge and complement our work.

Acknowledgements

This research has been partially funded by the Basque Government, throughout the Business Development Agency of the Basque Country (SPRI) through the Ekintzaile 2018 program. Special thanks to BIC Araba for the support provided.

Read the original paper ↗

Citation