Industrial robot arm

Industrial Robots Security

A joint research project between Politecnico di Milano and Trend Micro's FTR

What is exactly an industrial robot?

Industrial robots are complex cyber-physical systems used for manufacturing, and a critical component of any modern factory. You can imagine them as mechanical arms able to move on two or more axes. Besides the mechanical arm, inside an industrial robot there are not just electromechanical components but a multitude of complex embedded controllers. These embedded controllers are often interconnected with other computers in the factory network, safety systems, and to the Internet for remote monitoring and maintenance. In this scenario, industrial routers also play a key role, because they directly expose the robot's controller. Therefore, the impact of a single, simple vulnerability can grant attackers an easy entry point.

What's the impact?

Industrial robots must follow three fundamental laws: accurately "read" from the physical world through sensors and "write" (i.e. perform actions) through actuators, refuse to execute self-damaging control logic, and most importantly, echoing Asimov, never harm humans. By combining a set of vulnerabilities we discovered on a real robot, we demonstrated how remote attackers are able to violate such fundamental laws up to the point where they can alter the manufactured product, physically damage the robot, steal industry secrets, or injure humans.

In the following video, we show an attack we demonstrated in our laboratory on a real industrial robot—we believe that, due to the architectural commonalities of most modern robots, and due to the existence of strict standards, is representative of a large class of robots. To learn more, head over to our 2017 Black Hat talk and S&P paper!

In the following video, we show how an attacker could alter an automation script of a vulnerable robot and thus be able to control its movements. To learn more about this, head over to our 2020 Black Hat talk and ASIACCS paper!

Who we are

This research is the outcome of a joint effort between researchers at Politecnico di Milano, and Trend Micro Inc.'s FTR.

Contact us: info@robosec.org

Main contributors

Davide Quarta, @_ocean
Postdoctoral Researcher, EURECOM (previously: Ph.D. student, Politecnico di Milano)
Marcello Pogliani, @mapogli
Security Engineer, Secure Network Srl (previously: Ph.D. student, Politecnico di Milano)
Federico Maggi, @phretor
Senior Threat Researcher, Trend Micro Forward-Looking Threat Research
Mario Polino, @JinBlackx
Postdoctoral researcher, Politecnico di Milano
Stefano Zanero, @raistolo
Associate Professor, Politecnico di Milano

Other contributors

Andrea Maria Zanchettin, @zanchettin83
Associate Professor, Politecnico di Milano (faculty member of the MERLIN Lab, that kindly agreed to let us "hack" one of their robots...)
Marco Balduzzi, @embyte
Senior Threat Researcher, Trend Micro Forward-Looking Threat Research
Martino Vittone
Master's Student, Politecnico di Milano

Furthermore, the May 2020 whitepaper wouldn't have been possible without the invaluable support of the Industry 4.0 Lab of Politecnico's School of Management, and of its lab members Giacomo Tavola and Walter Quadrini.

Academic Publications

Marcello Pogliani, Federico Maggi, Marco Balduzzi, Davide Quarta, Stefano Zanero. Detecting Insecure Code Patterns in Industrial Robot Programs. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security (ASIA CCS '20), October 5-9, 2020, Virtual Conference. [PDF] [Slides] [Video]

Marcello Pogliani, Davide Quarta, Mario Polino, Martino Vittone, Federico Maggi, and Stefano Zanero. Security of Controlled Manufacturing Systems in the Connected Factory: The Case of Industrial Robots. Journal of Computer Virology and Hacking Techniques, February 2019. [PDF]

Davide Quarta, Marcello Pogliani, Mario Polino, Federico Maggi, Andrea Maria Zanchettin, and Stefano Zanero. An Experimental Security Analysis of an Industrial Robot Controller. 38th IEEE Symposium on Security and Privacy, San José, CA, June 2017. [Paper] · [Slides] [Video]

Please use the following bibtex entries to cite our work: 

@inproceedings{quarta17:robosec,
    author = {Quarta, Davide and Pogliani, Marcello and Polino, Mario and Maggi, Federico and Zanchettin, Andrea Maria and Zanero, Stefano},
    title  = {{An Experimental Security Analysis of an Industrial Robot Controller}},
    booktitle = {Proceedings of the 38th IEEE Symposium on Security and Privacy},
    month = {May},
    year = {2017},
    address = {San Jose, CA}
}

@inproceedings{pogliani20:detecting,
    author = {Pogliani, Marcello and Maggi, Federico and Balduzzi, Marco and Quarta, Davide and Zanero, Stefano},
    title = {{Detecting Insecure Code Patterns in Industrial Robot Programs}},
    booktitle = {Proceedings of the 15th ACM Asia Conference on Computer and Communications Security (ASIA CCS '20)},
    month = {October},
    year = {2020},
    address = {Taipei, TW}
}

Technical Whitepapers

Federico Maggi and Marcello Pogliani, with contributions from Martino Vittone, Davide Quarta, Stefano Zanero, Marco Balduzzi, Rainer Vosseler, Martin Rosler. Rogue Automation. Vulnerable and Malicious Code in Industrial Programming. Trend Micro Research Whitepaper, August 2020. [PDF] · [Project Page]

Federico Maggi and Marcello Pogliani, with contributions from Martin Rosler, Marco Balduzzi, Rainer Vosseler, Stefano Zanero, Davide Quarta and Walter Quadrini. Attacks on Smart Manufacturing Systems. A Forward-looking Security Analysis. Trend Micro Research Whitepaper, May 2020. [PDF]

Federico Maggi, Davide Quarta, Marcello Pogliani, Mario Polino, Andrea Maria Zanchettin, and Stefano Zanero. Rogue Robots: Testing the Limits of an Industrial Robot’s Security. Trend Micro TrendLabs Research Paper, May 2017. [PDF]

Talks

Federico Maggi and Marcello Pogliani. Beware of the Robot! Vulnerabilities in Industrial Automation Scripts ...and How to Find Them! (talk in Italian). HackInBo Winter Edition 2020, Virtual Conference, 31 October 2020. [Slides] [Video (in Italian)]

Federico Maggi, Marcello Pogliani, Davide Quarta, Stefano Zanero, Marco Balduzzi. OTRazor: Static Code Analysis for Vulnerability Discovery in Industrial Automation Scripts . Blackhat USA 2020, Virtual Conference, 5-6 August 2020. [Slides]

Davide Quarta, Marcello Pogliani, Mario Polino, Federico Maggi, Andrea Maria Zanchettin, and Stefano Zanero. TR18/NGI18: Breaking the Laws of Robotics: Attacking Industrial Robots. TROOPERS NGI 18, Heidelberg, 13 March 2018. [Slides] · [Video]

Davide Quarta, Marcello Pogliani, Mario Polino, Federico Maggi, Andrea Maria Zanchettin, and Stefano Zanero. Breaking the Laws of Robotics: Attacking Industrial Robots. Blackhat USA 2017, Las Vegas, NV, 22-27 July 2017. [Slides] · [Video]

FAQ

What is the impact of the Human-Robot Interaction attack?
After follow up with ABB Robotics, we want to stress that safeguards are in place to prevent that a potential security issue can cause a safety issue. In particular, ABB Robotics let us know the following:
"The operational mode displayed at the teach pendant is for information only and is not part of the safety system. Entering the safeguarded space in automatic mode will always lead to a protective stop regardless of the status information on the FlexPendant since there are mandatory regulations requiring that the safeguarded space shall be established by perimeter guarding. The safety system that implements safety functions is in accordance with EN ISO 10218-1:2011 and has been evaluated according to EN ISO 13849-1:2008 ‘Safety of machinery - Safety-related parts of control systems - Part 1: General principles for design‘. As required by EN ISO 10218-1:2011, the safety functions achieve performance level d and category 3."
Unfortunately, a survey among robot users revealed that not all of the deployments actually adhere the regulations and standards, due to user choices. Therefore, the fact that we were able to easily conduct this attack on a non-compliant deployment reinforces the paramount importance of compliant deployment, as opposed to simply trusting what's displayed on the teach pendant screen.
Have the specific vulnerabilities found in ABB's RobotWare been fixed?
Yes, the specific software vulnerabilities that we discovered in ABB's RobotWare and we mention in our report have been fixed immediately after they have been reported in late 2016 (see the security advisory on ABB's website). We acknowledge that ABB has been extremely fast in fixing them and supportive of our work: it has been a pleasure for us working with them.
I want to write about this, where can I find more info?
Trend Micro's report is a good place to start. Our S&P paper can give some more insight and technical informations about the generic attacks we discovered. Also, feel free to contact us!
Are there 80.000+ robots directly exposed to the internet?
No. There are more than 80.000 industrial routers directly connected to the internet. Most Internet-connected industrial devices, such as industrial robots, can be found behind those routers.

Press Coverage

Main articles covering our work (in reverse chronological order):

August 2020
May 2020
July, 2017
June, 2017
May, 2017