Industrial Robots Security
A joint research project between Politecnico di Milano and Trend Micro's FTR
What is exactly an industrial robot?
Industrial robots are complex cyber-physical systems used for manufacturing, and a critical component of any modern factory. You can imagine them as mechanical arms able to move on two or more axes. Besides the mechanical arm, inside an industrial robot there are not just electromechanical components but a multitude of complex embedded controllers. These embedded controllers are often interconnected with other computers in the factory network, safety systems, and to the Internet for remote monitoring and maintenance. In this scenario, industrial routers also play a key role, because they directly expose the robot's controller. Therefore, the impact of a single, simple vulnerability can grant attackers an easy entry point.
What's the impact?
Industrial robots must follow three fundamental laws: accurately "read" from the physical world through sensors and "write" (i.e. perform actions) through actuators, refuse to execute self-damaging control logic, and most importantly, echoing Asimov, never harm humans. By combining a set of vulnerabilities we discovered on a real robot, we demonstrated how remote attackers are able to violate such fundamental laws up to the point where they can alter the manufactured product, physically damage the robot, steal industry secrets, or injure humans.
In the following video, we show an attack we demonstrated in our laboratory on a real industrial robot—we believe that, due to the architectural commonalities of most modern robots, and due to the existence of strict standards, is representative of a large class of robots.
FAQ
- What is the impact of the Human-Robot Interaction attack?
- After follow up with ABB Robotics, we want to stress that safeguards are in place to prevent that a potential security issue can cause a safety issue. In particular, ABB Robotics let us know the following:
"The operational mode displayed at the teach pendant is for information only and is not part of the safety system. Entering the safeguarded space in automatic mode will always lead to a protective stop regardless of the status information on the FlexPendant since there are mandatory regulations requiring that the safeguarded space shall be established by perimeter guarding. The safety system that implements safety functions is in accordance with EN ISO 10218-1:2011 and has been evaluated according to EN ISO 13849-1:2008 ‘Safety of machinery - Safety-related parts of control systems - Part 1: General principles for design‘. As required by EN ISO 10218-1:2011, the safety functions achieve performance level d and category 3." Unfortunately, a survey among robot users revealed that not all of the deployments actually adhere the regulations and standards, due to user choices. Therefore, the fact that we were able to easily conduct this attack on a non-compliant deployment reinforces the paramount importance of compliant deployment, as opposed to simply trusting what's displayed on the teach pendant screen. - Have the specific vulnerabilities found in ABB's RobotWare been fixed?
- Yes, the specific software vulnerabilities that we discovered in ABB's RobotWare and we mention in our report have been fixed immediately after they have been reported in late 2016 (see the security advisory on ABB's website). We acknowledge that ABB has been extremely fast in fixing them and supportive of our work: it has been a pleasure for us working with them.
- I want to write about this, where can I find more info?
- Trend Micro's report is a good place to start. Our S&P paper can give some more insight and technical informations about the generic attacks we discovered. Also, feel free to contact us!
- Are there 80.000+ robots
directly exposed to the internet? - No. There are more than 80.000 industrial routers directly connected to the internet. Most Internet-connected industrial devices, such as industrial robots, can be found behind those routers.
Who we are
This research is the outcome of a joint effort between researchers at Politecnico di Milano, and Trend Micro Inc.'s FTR.
Main contributors
- Davide Quarta, @_ocean
- Ph.D. student, Politecnico di Milano
- Marcello Pogliani, @mapogli
- Ph.D. student, Politecnico di Milano
- Mario Polino, @JinBlackx
- Postdoctoral researcher, Politecnico di Milano
- Federico Maggi, @phretor
- Senior Threat Researcher, Trend Micro Forward-Looking Threat Research
- Andrea Maria Zanchettin, @zanchettin83
- Assistant Professor, Politecnico di Milano
- Stefano Zanero, @raistolo
- Associate Professor, Politecnico di Milano
Publications and Talks
Federico Maggi, Davide Quarta, Marcello Pogliani, Mario Polino, Andrea Maria Zanchettin, and Stefano Zanero. Rogue Robots: Testing the Limits of an Industrial Robot’s Security. Trend Micro TrendLabs Research Paper, May 2017. [PDF]
Davide Quarta, Marcello Pogliani, Mario Polino, Federico Maggi, Andrea Maria Zanchettin, and Stefano Zanero. An Experimental Security Analysis of an Industrial Robot Controller. 38th IEEE Symposium on Security and Privacy, San José, CA, June 2017. [Paper] [Slides] [Video]
Davide Quarta, Marcello Pogliani, Mario Polino, Federico Maggi, Andrea Maria Zanchettin, and Stefano Zanero. Breaking the Laws of Robotics: Attacking Industrial Robots. Blackhat USA 2017, Las Vegas, NV, 22-27 July 2017. [Slides] [Video]
Davide Quarta, Marcello Pogliani, Mario Polino, Federico Maggi, Andrea Maria Zanchettin, and Stefano Zanero. TR18/NGI18: Breaking the Laws of Robotics: Attacking Industrial Robots. TROOPERS NGI 18, Heidelberg, 13 March 2018. [Slides] [Video]
Marcello Pogliani, Davide Quarta, Mario Polino, Martino Vittone, Federico Maggi, and Stefano Zanero. Security of Controlled Manufacturing Systems in the Connected Factory: The Case of Industrial Robots. Journal of Computer Virology and Hacking Techniques, February 2019.
Please use the following bibtex entry to cite our work:
@inproceedings{quarta17:robosec,
author = {Quarta, Davide and Pogliani, Marcello and Polino, Mario and Maggi, Federico and Zanchettin, Andrea Maria and Zanero, Stefano},
title = {{An Experimental Security Analysis of an Industrial Robot Controller}},
booktitle = {Proceedings of the 38th IEEE Symposium on Security and Privacy},
month = {May},
year = {2017},
address = {San Jose, CA}
}
Press Coverage
Articles covering our work (in reverse chronological order):
July 31, 2017
June 28, 2017
- the morning paper An experimental security analysis of an industrial robot controller
May 19, 2017
- ANSA.it (Italian): A rischio di attacchi hacker i robot dell'industria 4.0
May 17, 2017
May 16, 2017
- IEEE Spectrum: New Report Highlights Dangers of Hacked Factory Robots
May 11, 2017
May 9, 2017
- ComputerWorld: Industrial robots are security weak link
May 8, 2017
May 7, 2017
- InformationSecurityBuzz: Researchers Remotely Hack An Industrial Robot And Manipulate Its Commands
May 4, 2017
- Hackaday: Industrial robots, hacking and sabotage
- SafeUM: Researchers find factory robots can be easily hacked
- Numerama (French): Les robots industriels connectés, prochaines cibles des hackers ?
- Hackread: Researchers hack industrial robots; yet another IoT disaster
- MIT Technology Review—The Download: Factory Robot Hacks, Electric Medication, and Laws Against Encryption
- The Register: Industrial plant robots frequently connected to the 'net without authentication
- Softpedia: Factory Robots Are Easy to Hack, Researchers Show
- FayerWayer (Spanish): Trend Micro demuestra que puede hackear un robot industrial
- International Business Times UK: Watch researchers remotely hack an industrial robot and manipulate its commands
- Il Secolo XIX (Italian): Così i robot industriali possono essere hackerati
- La Stampa (Italian): Così i robot industriali possono essere hackerati
- Manufacturing.net: Massive Industrial Robots Vulnerable To Being Hacked
May 3, 2017
- Inc.: Hackers Could Control Industrial Robots to Make Defective Airplanes
- Autoblog (Italian): Robot industriali: allarme hacker per chi produce le auto
- SecurityWeek: Industrial Robots Vulnerable to Remote Hacker Attacks
- CNBC: Industrial robots that build cars can be easily hacked
- CNET: Researchers find factory robots can be easily hacked
- WIRED: Watch Hackers Sabotage an Industrial Robot Arm
- Motherboard: Hackers Are Remotely Controlling Industrial Robots Now
- Help Net Security: Hacking industrial robots in today’s smart factories
- DARKReading: Researchers Hack Industrial Robot
- Forbes CyberSecurity: Catastrophe Warning: Watch An Industrial Robot Get Hacked
We were also featured on:
- Drives&Controls: As a kid, I wanted a robot
- Evertiq: As a kid, I wanted a robot
- Bleeping Computer: Watch Researchers Hack an Industrial Robot and Sabotage Production
- BetaNews: Assembly line robots vulnerable to hacking
- Recode: Industrial robots that build cars can be easily hacked
- ITWire: Rogue robots wreaking havoc
- InfoSecHotSpot: Compromising industrial robots: the fallacy of industrial routers in the Industry 4.0 ecosystem
- The Security Ledger: Report warns of Robot Hacks, Tampering
- oodaloop: Watch hackers sabotage an industrial robot arm
- Information Security Newspaper: Watch researchers hack an industrial robot and sabotage production
- IT Security News: Watch Hackers Sabotage a $75,000 Industrial Robot Arm
- Motorbox (Italian): Hacker: i robot industriali che fabbricano auto e moto sono a rischio
- Silicon France (French): Les robots industriels à la portée des cyber-attaques
- Génération Nouvelles Technologies (French): Les automates industriels peuvent être piratés, avec de graves conséquences potentielles