Industrial Robots That Build Cars and Phones Can Be Easily Hacked

Anything connected to the internet in order to make it easier to update or repair also makes it easier to hack. JL

April Glaser reports in Re/code:

ABB, Fanuc, Mitsubishi, Kawasaki and Yaskawa have been connecting their robots to the internet to monitor or update the machines remotely. But like anything that’s connected to the internet, robots too have become vulnerable to hackers.

Industrial robots are responsible for making nearly every device you use: Your phone, your computer, cars, airplanes, you name it.

It’s incredibly important for robots to do exactly what the factory programmed the robots to do, which is why the findings from a report released from cyber security firm Trend Micro that reveals how these machines are extremely vulnerable to hackers is so troubling.

After all, if a robot makes a car part that’s altered just few milimeters from its original design, it could cause the vehicle to malfunction and crash.

The researchers looked at industrial robots from five major robot manufacturers: ABB, Fanuc, Mitsubishi, Kawasaki and Yaskawa.

In recent years, more and more factories have been connecting their robots to the internet to monitor or update the machines remotely. But like anything that’s connected to the internet, robots too have become vulnerable to hackers.

Take an industrial robot from ABB that the researchers tested. In that robot, they were able to change the details about how the robot is configured in order to introduce an error that caused the machine to slightly change how it operated.

After programming the robot to draw a straight line, the team then hacked it to draw a line that was two milimeters off from the line it was originally programmed to draw.

“If these robots are welding a car chassis together or a wing on an airplane, two milimeters can be catastrophic,” said Mark Nunnikhoven, the vice president of cloud research at Trend Micro.

Robot controllers, which are typically handheld screens with buttons that are used for operating or programming the machines, are also often remotely accessible through the internet, and those internet connections are not always secure.

It was through unsecured network connections that the researchers were able to alter the configuration file in the ABB robot that caused it to draw the line wrong in their tests.

The researchers said robots from other manufacturers had similar security holes, but ABB was the only company that lent the team a robot to test for vulnerabilities.

Many of the industrial robots probed also had security issues with how users were authenticated to access them. Some systems didn’t require a password at all and others used unchangeable default usernames and passwords, according to the report.

These authentication problems make industrial robots vulnerable to something like what happened with the Mirai attack last year, said Nunnikhoven. That attack was able to take advantage of hundreds of thousands of internet-connected devices across the world because they all had hard-coded usernames and passwords.

The good news is that many of the vulnerabilities that were found are easy to fix. But some of the security holes that were discovered are fundamental to the design of the robots, which were not originally built to be connected to the internet.

Nunnikhoven said that ABB responded right away and started to fix the security holes that were found.

Trend Micro is in conversations with the other manufacturers that had robots tested about securing their machinery from hackers too, but the security firm would not go into detail about the status of those talks.