A joint research project between Politecnico di Milano and Trend Micro's FTR
Industrial robots are complex cyber-physical systems used for manufacturing, and a critical component of any modern factory. You can imagine them as mechanical arms able to move on two or more axes. Besides the mechanical arm, inside an industrial robot there are not just electromechanical components but a multitude of complex embedded controllers. These embedded controllers are often interconnected with other computers in the factory network, safety systems, and to the Internet for remote monitoring and maintenance. In this scenario, industrial routers also play a key role, because they directly expose the robot's controller. Therefore, the impact of a single, simple vulnerability can grant attackers an easy entry point.
Industrial robots must follow three fundamental laws: accurately "read" from the physical world through sensors and "write" (i.e. perform actions) through actuators, refuse to execute self-damaging control logic, and most importantly, echoing Asimov, never harm humans. By combining a set of vulnerabilities we discovered on a real robot, we demonstrated how remote attackers are able to violate such fundamental laws up to the point where they can alter the manufactured product, physically damage the robot, steal industry secrets, or injure humans.
In the following video, we show an attack we demonstrated in our laboratory on a real industrial robot—we believe that, due to the architectural commonalities of most modern robots, and due to the existence of strict standards, is representative of a large class of robots. To learn more, head over to our 2017 Black Hat talk and S&P paper!
In the following video, we show how an attacker could alter an automation script of a vulnerable robot and thus be able to control its movements. To learn more about this, head over to our 2020 Black Hat talk and ASIACCS paper!
This research is the outcome of a joint effort between researchers at Politecnico di Milano, and Trend Micro Inc.'s FTR.
Furthermore, the May 2020 whitepaper wouldn't have been possible without the invaluable support of the Industry 4.0 Lab of Politecnico's School of Management, and of its lab members Giacomo Tavola and Walter Quadrini.
Marcello Pogliani, Federico Maggi, Marco Balduzzi, Davide Quarta, Stefano Zanero. Detecting Insecure Code Patterns in Industrial Robot Programs. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security (ASIA CCS '20), October 5-9, 2020, Virtual Conference. [PDF] [Slides] [Video]
Marcello Pogliani, Davide Quarta, Mario Polino, Martino Vittone, Federico Maggi, and Stefano Zanero. Security of Controlled Manufacturing Systems in the Connected Factory: The Case of Industrial Robots. Journal of Computer Virology and Hacking Techniques, February 2019. [PDF]
Davide Quarta, Marcello Pogliani, Mario Polino, Federico Maggi, Andrea Maria Zanchettin, and Stefano Zanero. An Experimental Security Analysis of an Industrial Robot Controller. 38th IEEE Symposium on Security and Privacy, San José, CA, June 2017. [Paper] · [Slides] [Video]
Please use the following bibtex entries to cite our work:
@inproceedings{quarta17:robosec, author = {Quarta, Davide and Pogliani, Marcello and Polino, Mario and Maggi, Federico and Zanchettin, Andrea Maria and Zanero, Stefano}, title = {{An Experimental Security Analysis of an Industrial Robot Controller}}, booktitle = {Proceedings of the 38th IEEE Symposium on Security and Privacy}, month = {May}, year = {2017}, address = {San Jose, CA} } @inproceedings{pogliani20:detecting, author = {Pogliani, Marcello and Maggi, Federico and Balduzzi, Marco and Quarta, Davide and Zanero, Stefano}, title = {{Detecting Insecure Code Patterns in Industrial Robot Programs}}, booktitle = {Proceedings of the 15th ACM Asia Conference on Computer and Communications Security (ASIA CCS '20)}, month = {October}, year = {2020}, address = {Taipei, TW} }
Federico Maggi and Marcello Pogliani, with contributions from Martino Vittone, Davide Quarta, Stefano Zanero, Marco Balduzzi, Rainer Vosseler, Martin Rosler. Rogue Automation. Vulnerable and Malicious Code in Industrial Programming. Trend Micro Research Whitepaper, August 2020. [PDF] · [Project Page]
Federico Maggi and Marcello Pogliani, with contributions from Martin Rosler, Marco Balduzzi, Rainer Vosseler, Stefano Zanero, Davide Quarta and Walter Quadrini. Attacks on Smart Manufacturing Systems. A Forward-looking Security Analysis. Trend Micro Research Whitepaper, May 2020. [PDF]
Federico Maggi, Davide Quarta, Marcello Pogliani, Mario Polino, Andrea Maria Zanchettin, and Stefano Zanero. Rogue Robots: Testing the Limits of an Industrial Robot’s Security. Trend Micro TrendLabs Research Paper, May 2017. [PDF]
Federico Maggi and Marcello Pogliani. Beware of the Robot! Vulnerabilities in Industrial Automation Scripts ...and How to Find Them! (talk in Italian). HackInBo Winter Edition 2020, Virtual Conference, 31 October 2020. [Slides] [Video (in Italian)]
Federico Maggi, Marcello Pogliani, Davide Quarta, Stefano Zanero, Marco Balduzzi. OTRazor: Static Code Analysis for Vulnerability Discovery in Industrial Automation Scripts . Blackhat USA 2020, Virtual Conference, 5-6 August 2020. [Slides]
Davide Quarta, Marcello Pogliani, Mario Polino, Federico Maggi, Andrea Maria Zanchettin, and Stefano Zanero. TR18/NGI18: Breaking the Laws of Robotics: Attacking Industrial Robots. TROOPERS NGI 18, Heidelberg, 13 March 2018. [Slides] · [Video]
Davide Quarta, Marcello Pogliani, Mario Polino, Federico Maggi, Andrea Maria Zanchettin, and Stefano Zanero. Breaking the Laws of Robotics: Attacking Industrial Robots. Blackhat USA 2017, Las Vegas, NV, 22-27 July 2017. [Slides] · [Video]
Main articles covering our work (in reverse chronological order):