Tuesday, June 28, 2022

Warning to CISOs: Industrial cobots need to be watched

It’s hard enough for CISOs to deal with humans in their enterprises. A new report from a security vendor warns increasingly they have to deal with cobots, slang for collaborative robots that work alongside peoples in workplaces.

The report, from researchers at IOActive, cites a study by the control and robotics laboratory at Montreal’s Ecole de technologie superieure (ETS) showing even a small model is powerful enough to harm a person beside it if it loses control. And it might for a number of reasons, including being hacked remotely if the cobot is connected to the public Internet.

The short version of this is that CISOs have to treat cobots like any other device that might connect to a public network, which includes conducting a risk assessment and talking to the manufacturers about the device’s operational code.

What the report says is — like SCADA devices also found in industry — manufacturers may not be using the best cyber security coding practices. In a blog today describing the report, researcher Lucas Apa says in one manufacturer’s cobots an attacker could chain vulnerabilities to remotely modify safety settings, violating applicable safety laws with the result nearby workers could be hurt.

Unlike robots, who operate in a fixed environment, cobots assist humans by seeing through HD cameras and listening through microphones. They can also be guided by operators. Cobots are already in use around the world, and while they will come with safety features they are machines and come with the threats all such devices have: Sharp instruments and the ability to use force.

The cobot analyzed by IOActive had a Linux source code. Briefly, researchers discovered an authentication vulnerability in the server-based management dashboard, exploited a stack-based buffer overflow, modified the safety.conf file, restarted the machine and them moved the cobot in a dangerous way.

This report is a follow-up to one Apa and fellow researcher Cesar Cerrudo did in January (link here. Registration required)  on home, business and industrial robots and cobots. In that paper they found  nearly 50 critical security issues. All were reported to manufacturers. Some have been patched, but this latest paper was issued because one vendor has been tardy.

“Once again, I see novel and expensive technology which is vulnerable and exploitable,” writes Apa. “A very technical bug, like a buffer overflow in one of the protocols, exposed the integrity of the entire robot system to remote attacks. We reported the complete flow of vulnerabilities to the vendors back in January, and they
have yet to be patched.”

The most obvious response from CISOs is to make sure industrial systems run on a segregated network fully protected from Internet attacks. But also the must check with manufacturers to ensure source code isn’t vulnerable.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.