Industrial robot arm

Industrial Robots Security

A joint research project between Politecnico di Milano and Trend Micro's FTR

What is exactly an industrial robot?

Industrial robots are complex cyber-physical systems used for manufacturing, and a critical component of any modern factory. You can imagine them as mechanical arms able to move on two or more axes. Besides the mechanical arm, inside an industrial robot there are not just electromechanical components but a multitude of complex embedded controllers. These embedded controllers are often interconnected with other computers in the factory network, safety systems, and to the Internet for remote monitoring and maintenance. In this scenario, industrial routers also play a key role, because they directly expose the robot's controller. Therefore, the impact of a single, simple vulnerability can grant attackers an easy entry point.

What's the impact?

Industrial robots must follow three fundamental laws: accurately "read" from the physical world through sensors and "write" (i.e. perform actions) through actuators, refuse to execute self-damaging control logic, and most importantly, echoing Asimov, never harm humans. By combining a set of vulnerabilities we discovered on a real robot, we demonstrated how remote attackers are able to violate such fundamental laws up to the point where they can alter the manufactured product, physically damage the robot, steal industry secrets, or injure humans.

In the following video, we show an attack we demonstrated in our laboratory on a real industrial robot—we believe that, due to the architectural commonalities of most modern robots, and due to the existence of strict standards, is representative of a large class of robots.


What is the impact of the Human-Robot Interaction attack?
After follow up with ABB Robotics, we want to stress that safeguards are in place to prevent that a potential security issue can cause a safety issue. In particular, ABB Robotics let us know the following:
"The operational mode displayed at the teach pendant is for information only and is not part of the safety system. Entering the safeguarded space in automatic mode will always lead to a protective stop regardless of the status information on the FlexPendant since there are mandatory regulations requiring that the safeguarded space shall be established by perimeter guarding. The safety system that implements safety functions is in accordance with EN ISO 10218-1:2011 and has been evaluated according to EN ISO 13849-1:2008 ‘Safety of machinery - Safety-related parts of control systems - Part 1: General principles for design‘. As required by EN ISO 10218-1:2011, the safety functions achieve performance level d and category 3."
Unfortunately, a survey among robot users revealed that not all of the deployments actually adhere the regulations and standards, due to user choices. Therefore, the fact that we were able to easily conduct this attack on a non-compliant deployment reinforces the paramount importance of compliant deployment, as opposed to simply trusting what's displayed on the teach pendant screen.
Have the specific vulnerabilities found in ABB's RobotWare been fixed?
Yes, the specific software vulnerabilities that we discovered in ABB's RobotWare and we mention in our report have been fixed immediately after they have been reported in late 2016 (see the security advisory on ABB's website). We acknowledge that ABB has been extremely fast in fixing them and supportive of our work: it has been a pleasure for us working with them.
I want to write about this, where can I find more info?
Trend Micro's report is a good place to start. Our S&P paper can give some more insight and technical informations about the generic attacks we discovered. Also, feel free to contact us!
Are there 80.000+ robots directly exposed to the internet?
No. There are more than 80.000 industrial routers directly connected to the internet. Most Internet-connected industrial devices, such as industrial robots, can be found behind those routers.

Who we are

This research is the outcome of a joint effort between researchers at Politecnico di Milano, and Trend Micro Inc.'s FTR.

Contact us:

Main contributors

Davide Quarta, @_ocean
Ph.D. student, Politecnico di Milano
Marcello Pogliani, @mapogli
Ph.D. student, Politecnico di Milano
Mario Polino, @JinBlackx
Postdoctoral researcher, Politecnico di Milano
Federico Maggi, @phretor
Senior Threat Researcher, Trend Micro Forward-Looking Threat Research
Andrea Maria Zanchettin, @zanchettin83
Assistant Professor, Politecnico di Milano
Stefano Zanero, @raistolo
Associate Professor, Politecnico di Milano

Publications and Talks

Federico Maggi, Davide Quarta, Marcello Pogliani, Mario Polino, Andrea Maria Zanchettin, and Stefano Zanero. Rogue Robots: Testing the Limits of an Industrial Robot’s Security. Trend Micro TrendLabs Research Paper, May 2017. [PDF]

Davide Quarta, Marcello Pogliani, Mario Polino, Federico Maggi, Andrea Maria Zanchettin, and Stefano Zanero. An Experimental Security Analysis of an Industrial Robot Controller. 38th IEEE Symposium on Security and Privacy, San José, CA, June 2017. [Paper] [Slides] [Video]

Davide Quarta, Marcello Pogliani, Mario Polino, Federico Maggi, Andrea Maria Zanchettin, and Stefano Zanero. Breaking the Laws of Robotics: Attacking Industrial Robots. Blackhat USA 2017, Las Vegas, NV, 22-27 July 2017. [Slides]

Please use the following bibtex entry to cite our work:

    author = {Quarta, Davide and Pogliani, Marcello and Polino, Mario and Maggi, Federico and Zanchettin, Andrea Maria and Zanero, Stefano},
    title  = {{An Experimental Security Analysis of an Industrial Robot Controller}},
    booktitle = {Proceedings of the 38th IEEE Symposium on Security and Privacy},
    month = {May},
    year = {2017},
    address = {San Jose, CA}

Press Coverage

Articles covering our work (in reverse chronological order):

July 31, 2017
June 28, 2017
May 19, 2017
May 17, 2017
May 16, 2017
May 11, 2017
May 9, 2017
May 8, 2017
May 7, 2017
May 4, 2017
May 3, 2017
We were also featured on: