breaking the laws of robotics
play

Breaking the Laws of Robotics Attacking Industrial Robots Davide - PowerPoint PPT Presentation

Dec 31, 2023 •192 likes •1.03k views

Breaking the Laws of Robotics Attacking Industrial Robots Davide Quarta , Marcello Pogliani , Mario Polino, Federico Maggi , Andrea M. Zanchettin, Stefano Zanero Industrial robots? Industrial Robot Architecture (Standards) Controller Flexibly

  1. Breaking the Laws of Robotics Attacking Industrial Robots Davide Quarta , Marcello Pogliani , Mario Polino, Federico Maggi , Andrea M. Zanchettin, Stefano Zanero

  2. Industrial robots?

  3. Industrial Robot Architecture (Standards) Controller

  5. Flexibly programmable & Connected

  6. Screenshot of teach pendant + formatted code snippet on the side

  7. “Implicit” parameters

  8. “Implicit” parameters

  9. Flexibly programmable & Connected (Part 1)

  10. They are already meant to be connected

  11. Services: USB port Well-known (FTP) + custom (RobAPI) LAN Attack surface Radio

  12. Connected Robots: Why? ● Now: monitoring & maintenance ISO 10218-2:2011 ● Near future: active production planning and control ○ some vendors expose REST-like APIs ○ … up to the use of mobile devices for commands ● Future: app/library stores ○ “Industrial” version of robotappstore.com?

  13. Connected? Do you consider cyber attacks against robots a realistic threat?

  14. Do you consider cyber attacks against robots a realistic threat?

  15. What consequences do you foresee?

  16. What are the most valuable assets at risk?

  17. impact is much more important than the vulnerabilities alone.

  18. How do we assess the impact of an attack against industrial robots?

  19. We assess impact by reasoning on requirements

  20. Requirements: "Laws of Robotics" Safety Accuracy Integrity

  21. Requirements: "Laws of Robotics" Safety Accuracy Integrity Acknowledgements T.U. Munich, YouTube -- Dart Throwing with a Robotic Manipulator

  22. Requirements: "Laws of Robotics" Safety Accuracy Integrity

  23. Robot-Specific Attack Safety violating any of these Accuracy requirements via a digital vector Integrity

  24. Control Loop Alteration Attack 1 Safety Accuracy Integrity

  25. Control Loop Alteration Attack 1 Safety Accuracy Integrity

  26. Control Loop Alteration Attack 1 Safety Accuracy Integrity

  28. Calibration Tampering Attack 2 Safety Accuracy Integrity

  29. Calibration Tampering Attack 2 Safety Accuracy Integrity

  30. Production Logic Tampering Attack 3 Safety Accuracy Integrity

  31. Production Logic Tampering Attack 3 Safety Accuracy Integrity

  32. Displayed or Actual State Alteration Attacks 4+5 Safety Accuracy Integrity

  33. Displayed or Actual State Alteration Attacks 4+5 Safety Accuracy Integrity

  34. Displayed State Alteration PoC Malicious DLL Teach Pendant

  35. Displayed State Alteration PoC Malicious DLL Teach Pendant

  36. Is the Teach Pendant part of the safety system?

  37. Is the Teach Pendant part of the safety system? NO

  38. Are the standard safety measures too limiting?

  39. Do you "customize" the safety measures in your deployment?

  40. Standards & Regulations vs. Real World

  41. ...so far, we assumed the attacker has already compromised the controller...

  42. … let’s compromise the controller!

  43. Services: USB port Well-known (FTP) + custom (RobAPI) LAN Attack surface Radio

  44. VxWorks 5.x RTOS (PPC) VxWorks 5.x FTP, RobAPI, ... RTOS (x86) Windows CE (ARM) .NET >=3.5

  45. User Authorization System User ∈ roles → grants Authentication: username + password Used for FTP, RobAPI, …

  46. User Authorization System

  47. User Authorization System tl;dr; read deployment guidelines & deactivate the default user

  48. Update problems FlexPendant Axis Computer Microcontrollers

  49. Update problems FlexPendant Axis Computer Microcontrollers How? FTP at boot .... plus, no code signing, nothing

  50. Update problems FlexPendant Axis Computer Microcontrollers FTP? Credentials? Any credential is OK during boot! ABBVU-DMRO-124644

  51. Autoconfiguration is magic!

  52. Autoconfiguration is magic! ABBVU-DMRO-124642

  53. Enter /command FTP RETR /command/whatever read system info FTP STOR /command/command execute “commands” ABBVU-DMRO-124642

  54. Enter /command FTP RETR /command/whatever read system info FTP STOR /command/command execute “commands” ABBVU-DMRO-124642

  55. Enter /command FTP GET /command/whatever read, e.g., env. vars FTP PUT /command/command execute “commands” shell reboot shell uas_disable + hard-coded credentials? → remote command execution ABBVU-DMRO-124642

  56. Enter /command Let’s look at cmddev_execute_command : shell → sprintf(buf, "%s", param) other commands → sprintf(buf, "cmddev_%s", arg) overflow buf (on the stack) → remote code execution ABBVU-DMRO-128238

  57. Other buffer overflows Ex. 1: RobAPI ● Unauthenticated API endpoint ● Unsanitized strcpy() → remote code execution Ex. 2: Flex Pendant ( TpsStart.exe ) ● FTP write /command/timestampAAAAAAA … ..AAAAAAA ● file name > 512 bytes ~> Flex Pendant DoS ABBVU-DMRO-124641, ABBVU-DMRO-124645

  58. Takeaways Some memory corruption Mostly logical vulnerabilities All the components blindly trust the main computer (lack of isolation)

  59. Complete attack chain (1)

  60. Complete attack chain (2)

  61. Complete attack chain (3)

  62. File protection “Sensitive” files: ● Users’ credentials and permissions ● Sensitive configuration parameters (e.g., PID) ● Industry secrets (e.g., workpiece parameters)

  63. File protection “Sensitive” files: ● Users’ credentials and permissions ● Sensitive configuration parameters (e.g., PID) ● Industry secrets (e.g., workpiece parameters) Obfuscation : bitwise XOR with a “random” key. Key is derived from the file name. Or from the content. Or …

  64. That’s how we implemented the attacks

  65. Attack Surface ?

  66. Flexibly programmable & Connected (Part 2)

  68. Ethernet Wireless

  69. WAN

  70. Remote Exposure of Industrial Robots Search Entries Country ABB Robotics 5 DK, SE FANUC FTP 9 US, KR, FR, TW Yaskawa 9 CA, JP Kawasaki E Controller 4 DE Mitsubishi FTP 1 ID Overall 28 10 Not so many... (yesterday I've just found 10 more)

  71. Remote Exposure of Industrial Routers ...way many more! Unknown which routers are actually robot-connected

  72. Typical Issues Trivially "Fingerprintable" ● Verbose banners (beyond brand or model name) ● Detailed technical material on vendor’s website ○ Technical manual: All vendors inspected ○ Firmware: 7 /12 vendors

  73. Typical Issues (1) Outdated Software Components ● Application software (e.g., DropBear SSH, BusyBox) ● Libraries (including crypto libraries) ● Compiler & kernel ● Baseband firmware

  74. Typical Issues (2) Insecure Web Interface ● Poor input sanitization ● E.g., code coming straight from a "beginners" blog Cut & paste

  75. Bottom line Connect your robots with care (follow security best practices & your robot vendor’s guidance)

  76. Conclusions

  77. Black Hat Sound Bytes Robots are increasingly being connected Industrial robot-specific class of attacks Barrier to entry: quite high , budget-wise

  78. What should we do now? Vendors are very responsive As a community we really need to push hard for countermeasures

  79. Hints on Countermeasures Short term Attack detection and deployment hardening Medium term System hardening Long term New standards, beyond safety issues

  80. Questions? Davide Quarta Marcello Pogliani Federico Maggi davide.quarta@polimi.it marcello.pogliani@polimi.it federico_maggi@trendmicro.com @_ocean @mapogli @phretor Papers, slides, and FAQ http://robosec.org — http://bit.ly/2qy29oq

  81. Questions?

  82. Breaking the Laws of Robotics Attacking Industrial Robots Davide Quarta , Marcello Pogliani , Mario Polino, Federico Maggi , Andrea M. Zanchettin, Stefano Zanero

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Breaking the Laws Of Robotics @TR18 Davide Quarta @_ocean Marcello Pogliani @mapogli Mario

Breaking the Laws Of Robotics @TR18 Davide Quarta @_ocean Marcello Pogliani @mapogli Mario

Breaking the Laws Of Robotics @TR18 Davide Quarta @_ocean Marcello Pogliani @mapogli Mario Polino @jinblackx Federico Maggi @phretor Stefano Zanero @raistolo https://mg-iii.deviantart.com/art/I-Robot-54308587 8 Industrial robots?

1.11k views • 86 slides
i.e., Higgs? 1 Understanding Electroweak Symmetry breaking is essential for significant progress

i.e., Higgs? 1 Understanding Electroweak Symmetry breaking is essential for significant progress

Symmetry is fundamental to our understanding of the basic laws of physics Mass is always associated with symmetry breaking Easier to discover the symmetry: e.g. SU(2) x U(1) Harder to discover the symmetry breaking mechanism, i.e., Higgs? 1

862 views • 24 slides
MP2: Ancient Mine Exploration By: Rohan Tabish What have we learned so far ? Recap - Asimov Laws

MP2: Ancient Mine Exploration By: Rohan Tabish What have we learned so far ? Recap - Asimov Laws

MP2: Ancient Mine Exploration By: Rohan Tabish What have we learned so far ? Recap - Asimov Laws for Robotics Recap - Asimov Laws for Robotics Recap - Asimov Laws for Robotics What kinds of robots we want? What kinds of robots we want?

487 views • 35 slides
Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Dr Nick Saville Breaking out of the box Understanding rela5onships between learning and assessment Breaking out of the box - a metaphor for thinking about rela5onships and interpreta5ons breaking out breaking out of the box of the

895 views • 68 slides
AI and Robotics Search Techniques in AI and Robotics AI Robotics AAAI,IJCAI ICRA, IROS

AI and Robotics Search Techniques in AI and Robotics AI Robotics AAAI,IJCAI ICRA, IROS

AI and Robotics Search Techniques in AI and Robotics AI Robotics AAAI,IJCAI ICRA, IROS ICAPS, AAMAS lots of smaller conferences Sven Koenig University of Southern California skoenig@usc.edu The symposium is supported by NSF! e.g. search

400 views • 5 slides
Three New Laws of AI Qiang Yang CAIO, WeBank, Chair Professor, HKUST 2020.7

Three New Laws of AI Qiang Yang CAIO, WeBank, Chair Professor, HKUST 2020.7

Three New Laws of AI Qiang Yang CAIO, WeBank, Chair Professor, HKUST 2020.7 https://www.fedai.org/ 1 Three Laws of Robotics Asimov First Law: A robot may not injure a human being, or through interaction, allow a human being to

1.08k views • 56 slides
Extractive Laws in Africa: What is the state of these laws? Why are our laws a problem? Why and on

Extractive Laws in Africa: What is the state of these laws? Why are our laws a problem? Why and on

Extractive Laws in Africa: What is the state of these laws? Why are our laws a problem? Why and on what should we call for reforms? Yao Graham s speaking notes at 2018 Alternative Mining Indaba 1. Greetings to all. Gratitude to organisers for

605 views • 6 slides
Mobile & Service Robotics Mobile & Service Robotics Sensors for Sensors for Robotics

Mobile & Service Robotics Mobile & Service Robotics Sensors for Sensors for Robotics

Mobile & Service Robotics Mobile & Service Robotics Sensors for Sensors for Robotics Sensors for Sensors for Robotics Robotics 1 Robotics 1 An Example of robots with their sensors 2 Basilio Bona Robotica 03CFIOR 2011 Another

583 views • 20 slides
ROBOTICS 01PEEQW Basilio Bona DAUIN Politecnico di Torino What is Robotics? Robotics

ROBOTICS 01PEEQW Basilio Bona DAUIN Politecnico di Torino What is Robotics? Robotics

18/02/2015 ROBOTICS 01PEEQW Basilio Bona DAUIN Politecnico di Torino What is Robotics? Robotics studies robots For history and definitions see the 2013 slides

357 views • 7 slides
Mobile & Service Robotics Mobile & Service Robotics Sensors for Robotics Sensors for

Mobile & Service Robotics Mobile & Service Robotics Sensors for Robotics Sensors for

Mobile & Service Robotics Mobile & Service Robotics Sensors for Robotics Sensors for Robotics 2 Sensors for Robotics Sensors for Robotics 2 Sensors for mobile robots Objectives: perceive, analyze and understand the environment

561 views • 42 slides
ROBOTICS 01PEEQW Basilio Bona DAUIN Politecnico di Torino What is Robotics? Robotics

ROBOTICS 01PEEQW Basilio Bona DAUIN Politecnico di Torino What is Robotics? Robotics

ROBOTICS 01PEEQW Basilio Bona DAUIN Politecnico di Torino What is Robotics? Robotics studies robots For history and definitions see the 2013 slides

702 views • 14 slides
From Robotic Systems to Robotics-grounded AI Systems Maxim Likhachev Robotics Institute &

From Robotic Systems to Robotics-grounded AI Systems Maxim Likhachev Robotics Institute &

From Robotic Systems to Robotics-grounded AI Systems Maxim Likhachev Robotics Institute & NREC Carnegie Mellon University Transitioning Robotics Systems into the Real World Lots of progress in the last decade, with various robotics

416 views • 9 slides
Overview n Perception for robotics Page 1 Overview n Perception for robotics Overview

Overview n Perception for robotics Page 1 Overview n Perception for robotics Overview

Perception for Robotics: Instance Detection Pieter Abbeel UC Berkeley EECS Overview n Perception for robotics Page 1 Overview n Perception for robotics Overview n Perception for robotics n Accurately localizing (specific)

532 views • 22 slides
Robotics Engineering Prof. Michael Gennert Robotics Engineering Program Director Fall 2016

Robotics Engineering Prof. Michael Gennert Robotics Engineering Program Director Fall 2016

Robotics Engineering Prof. Michael Gennert Robotics Engineering Program Director Fall 2016 Robotics Education Gap Robotics Research PhD @ Large Research Robotics University Engineering Industrial Robotics Technology AA, AS @ Making

945 views • 22 slides
The Robot Operating System (ROS) Introduction, Concepts and Examples Stefano Rosa, 8/5/2015

The Robot Operating System (ROS) Introduction, Concepts and Examples Stefano Rosa, 8/5/2015

Robotics Research Group Politecnico di Torino The Robot Operating System (ROS) Introduction, Concepts and Examples Stefano Rosa, 8/5/2015 Mobile robotics Robotics Service robotics Service robotics Industrial robotics Exploration robotics

1.37k views • 63 slides
ROBOTICS ROBOTICS A brief history A brief history Basilio Bona ROBOTICA 03CFIOR 1 Outline

ROBOTICS ROBOTICS A brief history A brief history Basilio Bona ROBOTICA 03CFIOR 1 Outline

ROBOTICS ROBOTICS A brief history A brief history Basilio Bona ROBOTICA 03CFIOR 1 Outline A brief history of robotics What is a robot and what is robotics Classification of robotic applications Industrial robotics

467 views • 35 slides
SimBA: Simple Black-box Adversarial Attacks Chuan Guo , Jacob R. Gardner, Yurong You, Andrew

SimBA: Simple Black-box Adversarial Attacks Chuan Guo , Jacob R. Gardner, Yurong You, Andrew

SimBA: Simple Black-box Adversarial Attacks Chuan Guo , Jacob R. Gardner, Yurong You, Andrew Gordon Wilson, Kilian Q. Weinberger June 12, 2019 <latexit

383 views • 11 slides
How we look inside stars: stellar evolution codes & Mathieu Renzo, PhD student @ API,

How we look inside stars: stellar evolution codes & Mathieu Renzo, PhD student @ API,

Computational Astrophysics 18/01/16 How we look inside stars: stellar evolution codes & Mathieu Renzo, PhD student @ API, UvA Traditional scientific knowledge has generally taken the form of either theory or experimental data.

503 views • 32 slides
Introduction to Selected Classes of the QuantLib Library II Dimitri Reiswich December 2010

Introduction to Selected Classes of the QuantLib Library II Dimitri Reiswich December 2010

Introduction to Selected Classes of the QuantLib Library II Dimitri Reiswich December 2010 Dimitri Reiswich QuantLib Intro II December 2010 1 / 148 In the whole tutorial I assume that you have included the QuantLib header via #include

1.64k views • 149 slides
Scripting using ImageJ Macro - a quick 1 hour tutorial - We use Fiji. http://fiji.sc please

Scripting using ImageJ Macro - a quick 1 hour tutorial - We use Fiji. http://fiji.sc please

Scripting using ImageJ Macro - a quick 1 hour tutorial - We use Fiji. http://fiji.sc please download and install. Kota Miura @ CMCI EMBL 2-1 Why do we write macro? Aim: Students acquire ImageJ macro programming techniques to ease their

616 views • 57 slides
Patient Beds Patient Beds The Ceiling Lift is brand The patient beds in the new for the staff

Patient Beds Patient Beds The Ceiling Lift is brand The patient beds in the new for the staff

Staff Real-Time Staff Real-Time STAFF REAL-TIME STAFF REAL-TIME Nurse Call System Nurse Call System NURSE CALL SYSTEM NURSE CALL SYSTEM NURSE CALL SYSTEM NURSE CALL SYSTEM LOCATION LOCATION Location Location GENERAL GENERAL (General)

443 views • 4 slides
Obstetric Emergencies respect to my current presentation. William M. Gilbert, MD Regional

Obstetric Emergencies respect to my current presentation. William M. Gilbert, MD Regional

I have no financial conflicts of interest with Obstetric Emergencies respect to my current presentation. William M. Gilbert, MD Regional Medical Director, Womens Services Sutter Health Valley Region & Clinical Professor OB/GYN

296 views • 10 slides
Asthma Coalition Improving Population Health

Asthma Coalition Improving Population Health

Asthma Coalition Improving Population Health _________________________________________________________________________ Susanne Curry MS, RN, ACNS-BC, RN-BC, AE-C Manager Clinical Practice June 2017 St. Lukes Cornwall Hospital Who We Are

893 views • 21 slides
Nursing Informatics Led Optimization Program Ellen Pollack, MSN, RN-BC CNIO UCLA Health 4

Nursing Informatics Led Optimization Program Ellen Pollack, MSN, RN-BC CNIO UCLA Health 4

Nursing Informatics Led Optimization Program Ellen Pollack, MSN, RN-BC CNIO UCLA Health 4 hospitals 952 Inpa+ent beds ~60,000 hospital encounters 250+ outpa+ent prac+ces 1.5 mil outpa+ent

858 views • 36 slides

More recommend