SLIDE 1
Breaking the Laws of Robotics
Attacking Industrial Robots
Davide Quarta, Marcello Pogliani, Mario Polino, Federico Maggi, Andrea M. Zanchettin, Stefano Zanero
Breaking the Laws of Robotics Attacking Industrial Robots Davide - - PowerPoint PPT Presentation
Breaking the Laws of Robotics Attacking Industrial Robots Davide - - PowerPoint PPT Presentation
Breaking the Laws of Robotics Attacking Industrial Robots Davide Quarta , Marcello Pogliani , Mario Polino, Federico Maggi , Andrea M. Zanchettin, Stefano Zanero Industrial robots? Industrial Robot Architecture (Standards) Controller Flexibly
SLIDE 2
SLIDE 3
Industrial Robot Architecture (Standards)
Controller
SLIDE 4
SLIDE 5
Flexibly programmable
& Connected
SLIDE 6
Screenshot of teach pendant + formatted code snippet on the side
SLIDE 7
“Implicit” parameters
SLIDE 8
“Implicit” parameters
SLIDE 9
Flexibly programmable &
Connected
(Part 1)
SLIDE 10
They are already meant to be connected
SLIDE 11
Attack surface
USB port LAN Radio
Services: Well-known (FTP) + custom (RobAPI)
SLIDE 12
Connected Robots: Why?
- Now: monitoring & maintenance ISO 10218-2:2011
- Near future: active production planning and control
○ some vendors expose REST-like APIs ○ … up to the use of mobile devices for commands
- Future: app/library stores
○ “Industrial” version of robotappstore.com?
SLIDE 13
Connected?
Do you consider
cyber attacks
against robots a
realistic threat?
SLIDE 14
Do you consider
cyber attacks
against robots a
realistic threat?
SLIDE 15
What
consequences
do you foresee?
SLIDE 16
What are the most
valuable assets at risk?
SLIDE 17
impact is much more
important than the
vulnerabilities alone.
SLIDE 18
How do we assess the impact
- f an attack against
industrial robots?
SLIDE 19
We assess impact by reasoning on
requirements
SLIDE 20
Requirements: "Laws of Robotics"
Safety Accuracy Integrity
SLIDE 21
Requirements: "Laws of Robotics"
Safety Accuracy Integrity
Acknowledgements T.U. Munich, YouTube -- Dart Throwing with a Robotic Manipulator
SLIDE 22
Requirements: "Laws of Robotics"
Safety Accuracy Integrity
SLIDE 23
violating any of these requirements via a digital vector
Robot-Specific Attack
Safety Accuracy Integrity
SLIDE 24
Control Loop Alteration
Safety Integrity Attack 1 Accuracy
SLIDE 25
Control Loop Alteration
Safety Integrity Attack 1 Accuracy
SLIDE 26
Control Loop Alteration
Safety Integrity Attack 1 Accuracy
SLIDE 27
SLIDE 28
Calibration Tampering
Safety Accuracy Integrity Attack 2
SLIDE 29
Calibration Tampering
Safety Accuracy Integrity Attack 2
SLIDE 30
Production Logic Tampering
Safety Accuracy Integrity Attack 3
SLIDE 31
Production Logic Tampering
Safety Accuracy Integrity Attack 3
SLIDE 32
Displayed or Actual State Alteration
Safety Accuracy Integrity Attacks 4+5
SLIDE 33
Displayed or Actual State Alteration
Safety Accuracy Integrity Attacks 4+5
SLIDE 34
Malicious DLL
Displayed State Alteration PoC
Teach Pendant
SLIDE 35
Displayed State Alteration PoC
Teach Pendant Malicious DLL
SLIDE 36
Is the Teach Pendant part of the safety system?
SLIDE 37
Is the Teach Pendant part of the safety system? NO
SLIDE 38
Are the
standard safety measures too limiting?
SLIDE 39
Do you
"customize"
the safety measures in your deployment?
SLIDE 40
Standards & Regulations vs. Real World
SLIDE 41
...so far, we assumed the attacker has already compromised the controller...
SLIDE 42
… let’s compromise the controller!
SLIDE 43
Attack surface
USB port LAN Radio
Services: Well-known (FTP) + custom (RobAPI)
SLIDE 44
VxWorks 5.x RTOS (x86) VxWorks 5.x RTOS (PPC) Windows CE (ARM) .NET >=3.5 FTP, RobAPI, ...
SLIDE 45
User Authorization System
User ∈ roles → grants Authentication: username + password Used for FTP, RobAPI, …
SLIDE 46
User Authorization System
SLIDE 47
User Authorization System
tl;dr; read deployment guidelines & deactivate the default user
SLIDE 48
Update problems
FlexPendant Axis Computer Microcontrollers
SLIDE 49
Update problems
FlexPendant Axis Computer Microcontrollers
How? FTP at boot .... plus, no code signing, nothing
SLIDE 50
Update problems
FlexPendant Axis Computer Microcontrollers
FTP? Credentials? Any credential is OK during boot!
ABBVU-DMRO-124644
SLIDE 51
Autoconfiguration is magic!
SLIDE 52
Autoconfiguration is magic!
ABBVU-DMRO-124642
SLIDE 53
FTP RETR /command/whatever read system info FTP STOR /command/command execute “commands”
Enter /command
ABBVU-DMRO-124642
SLIDE 54
FTP RETR /command/whatever read system info FTP STOR /command/command execute “commands”
Enter /command
ABBVU-DMRO-124642
SLIDE 55
FTP GET /command/whatever read, e.g., env. vars FTP PUT /command/command execute “commands” shell reboot shell uas_disable + hard-coded credentials? → remote command execution
Enter /command
ABBVU-DMRO-124642
SLIDE 56
Let’s look at cmddev_execute_command: shell → sprintf(buf, "%s", param)
- ther commands → sprintf(buf, "cmddev_%s", arg)
- verflow buf (on the stack) → remote code execution
Enter /command
ABBVU-DMRO-128238
SLIDE 57
- Ex. 1: RobAPI
- Unauthenticated API endpoint
- Unsanitized strcpy()
→ remote code execution
- Ex. 2: Flex Pendant (TpsStart.exe)
- FTP write /command/timestampAAAAAAA…..AAAAAAA
- file name > 512 bytes ~> Flex Pendant DoS
Other buffer overflows
ABBVU-DMRO-124641, ABBVU-DMRO-124645
SLIDE 58
Takeaways Some memory corruption Mostly logical vulnerabilities All the components blindly trust the main computer (lack of isolation)
SLIDE 59
Complete attack chain (1)
SLIDE 60
Complete attack chain (2)
SLIDE 61
Complete attack chain (3)
SLIDE 62
“Sensitive” files:
- Users’ credentials and permissions
- Sensitive configuration parameters (e.g., PID)
- Industry secrets (e.g., workpiece parameters)
File protection
SLIDE 63
“Sensitive” files:
- Users’ credentials and permissions
- Sensitive configuration parameters (e.g., PID)
- Industry secrets (e.g., workpiece parameters)
Obfuscation: bitwise XOR with a “random” key. Key is derived from the file name. Or from the content. Or …
File protection
SLIDE 64
That’s how we implemented the attacks
SLIDE 65
Attack Surface
?
SLIDE 66
Flexibly programmable &
Connected
(Part 2)
SLIDE 67
SLIDE 68
Ethernet Wireless
SLIDE 69
WAN
SLIDE 70
Not so many...
(yesterday I've just found 10 more)
Remote Exposure of Industrial Robots
Search Entries Country ABB Robotics 5 DK, SE FANUC FTP 9 US, KR, FR, TW Yaskawa 9 CA, JP Kawasaki E Controller 4 DE Mitsubishi FTP 1 ID Overall 28 10
SLIDE 71
Remote Exposure of Industrial Routers
...way many more!
Unknown which routers are actually robot-connected
SLIDE 72
Typical Issues
Trivially "Fingerprintable"
- Verbose banners (beyond brand or model name)
- Detailed technical material on vendor’s website
○ Technical manual: All vendors inspected ○ Firmware: 7/12 vendors
SLIDE 73
Typical Issues (1)
Outdated Software Components
- Application software (e.g., DropBear SSH, BusyBox)
- Libraries (including crypto libraries)
- Compiler & kernel
- Baseband firmware
SLIDE 74
Typical Issues (2)
Insecure Web Interface
- Poor input sanitization
- E.g., code coming straight from a "beginners" blog
Cut & paste
SLIDE 75
Bottom line Connect your robots with care
(follow security best practices & your robot vendor’s guidance)
SLIDE 76
Conclusions
SLIDE 77
Robots are increasingly being connected Industrial robot-specific class of attacks Barrier to entry: quite high, budget-wise Black Hat Sound Bytes
SLIDE 78
Vendors are very responsive As a community we really need to push hard for countermeasures What should we do now?
SLIDE 79
Hints on Countermeasures
Short term Attack detection and deployment hardening Medium term System hardening Long term New standards, beyond safety issues
SLIDE 80
Davide Quarta
davide.quarta@polimi.it @_ocean
Federico Maggi
federico_maggi@trendmicro.com @phretor
Marcello Pogliani
marcello.pogliani@polimi.it @mapogli
Papers, slides, and FAQ http://robosec.org — http://bit.ly/2qy29oq
Questions?
SLIDE 81
Questions?
SLIDE 82
Breaking the Laws of Robotics
Attacking Industrial Robots
Davide Quarta, Marcello Pogliani, Mario Polino, Federico Maggi, Andrea M. Zanchettin, Stefano Zanero