robotics project robotics engineering mechanical mechatronics
Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws...
Transcript of Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws...
![Page 1: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/1.jpg)
Breaking the Laws of RoboticsAttacking Industrial Robots
Davide Quarta, Marcello Pogliani, Mario Polino, Federico Maggi,Andrea M. Zanchettin, Stefano Zanero
![Page 2: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/2.jpg)
Industrial robots?
![Page 3: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/3.jpg)
Industrial Robot Architecture (Standards)
Controller
![Page 4: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/4.jpg)
![Page 5: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/5.jpg)
Flexibly programmable&
Connected
![Page 6: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/6.jpg)
Screenshot of teach pendant + formatted code snippet on the side
![Page 7: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/7.jpg)
“Implicit” parameters
![Page 8: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/8.jpg)
Flexibly programmable&
Connected(Part 1)
![Page 9: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/9.jpg)
Connected Robots
● Now: monitoring & maintenance ISO 10218-2:2011
● Near future: active production planning and control○ some vendors expose REST-like APIs○ … up to the use of mobile devices for commands
● Future: app/library stores○ “Industrial” version of robotappstore.com?
![Page 10: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/10.jpg)
Attack surface
USB port
LAN
Radio
Services:Well-known (FTP) +
custom (RobAPI)
![Page 11: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/11.jpg)
They are already meant to be connected
![Page 12: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/12.jpg)
Do you considercyber attacks
against robots arealistic threat?
Connected?
![Page 13: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/13.jpg)
Do you considercyber attacks
against robots arealistic threat?
![Page 14: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/14.jpg)
What are the mostvaluable assets
at risk?
![Page 15: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/15.jpg)
Whatconsequences
do you foresee?
![Page 16: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/16.jpg)
impact is much more important than the
vulnerabilities alone.
![Page 17: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/17.jpg)
How do we assess the impactof an attack against
industrial robots?
![Page 18: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/18.jpg)
We assess impact byreasoning on
requirements
![Page 19: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/19.jpg)
Requirements: "Laws of Robotics"
Safety
Accuracy
Integrity
![Page 20: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/20.jpg)
Requirements: "Laws of Robotics"
Safety
Accuracy
IntegrityAcknowledgements T.U. Munich, YouTube -- Dart Throwing with a Robotic Manipulator
![Page 21: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/21.jpg)
Requirements: "Laws of Robotics"
Safety
Accuracy
Integrity
![Page 22: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/22.jpg)
violating any of these requirements
via a digital vector
Robot-Specific Attack
Safety
Accuracy
Integrity
![Page 23: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/23.jpg)
5 robot-specific attacks
![Page 24: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/24.jpg)
Control Loop Alteration
Safety
Integrity
Attack 1
Accuracy
![Page 25: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/25.jpg)
DEMO
![Page 27: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/27.jpg)
Calibration Tampering
Safety
Accuracy
Integrity
Attack 2
![Page 28: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/28.jpg)
Production Logic Tampering
Safety
Accuracy
Integrity
Attack 3
![Page 29: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/29.jpg)
(Perceived) State Alteration
Safety
Accuracy
Integrity
Attack 4+5
![Page 30: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/30.jpg)
Perceived State Alteration PoC
Teach Pendant
Malicious DLL
![Page 31: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/31.jpg)
Perceived State Alteration PoC
Teach Pendant
Malicious DLL
![Page 32: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/32.jpg)
Is the Teach Pendant part of the safety system?
![Page 33: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/33.jpg)
Is the Teach Pendant part of the safety system?
NO
![Page 34: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/34.jpg)
Are thestandard safety
measurestoo limiting?
![Page 35: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/35.jpg)
Are thestandard safety
measurestoo limiting?
![Page 36: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/36.jpg)
Do youcustomize
the safety measuresin your deployment
![Page 37: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/37.jpg)
Do youcustomize
the safety measuresin your deployment
![Page 38: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/38.jpg)
Standards & Regulations vs. Real World
![Page 39: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/39.jpg)
...so far, we assumed the attacker has already
compromised the controller...
![Page 40: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/40.jpg)
… let’s compromise the controller!
![Page 41: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/41.jpg)
VxWorks 5.x RTOS (x86)
VxWorks 5.x RTOS (PPC)
Windows CE (ARM) .NET >=3.5
FTP, RobAPI, ...
![Page 42: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/42.jpg)
● Statically-linked RTOS● Custom peripherals
○ No fuzzing :(● Firmware online or MMC
○ yay, with symbols!● Simulator for Windows
○ “Virtual controller”○ Not an exact replica
Wearing the pentester’s hat
![Page 43: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/43.jpg)
User Authorization System
User ∈ roles → grantsAuthentication: username + password
Used for FTP, RobAPI, …
By the way, documentation seems to advise against changing the default user’s permissions
![Page 44: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/44.jpg)
● How do you update such a complex system?○ Just update the main computer’s MMC!○ Other components (teach pendant, axis computer)
fetch their software via FTP at boot.
● FTP? Credentials? Any credential is OK during boot!
● No integrity check on firmware, no signatures, nothing
Let’s boot!
ABBVU-DMRO-124644
![Page 45: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/45.jpg)
Autoconfiguration is magic!
Service box auto-configures itself via FTP
Hard-coded FTP credentials (again…)
They’re restricted to /command
ABBVU-DMRO-124642
![Page 46: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/46.jpg)
FTP GET /command/whatever read, e.g., env. varsFTP PUT /command/file execute “commands”
Enter /command
ABBVU-DMRO-124642
![Page 47: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/47.jpg)
FTP GET /command/whatever read, e.g., env. varsFTP PUT /command/file execute “commands”
shell reboot
shell uas_disable
Pair this with the default, hard-coded credentials for WAN access → remote command execution.
Enter /command
ABBVU-DMRO-124642
![Page 48: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/48.jpg)
There’s more! Let’s look at cmddev_execute_command:
shell → sprintf(buf, "%s", param)other commands → sprintf(buf, "cmddev_%s", arg)
tl;dr; whatever the command is, we overflow buf, who is on the stack → remote code execution
Enter /command
ABBVU-DMRO-128238
![Page 49: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/49.jpg)
Ex. 1: RobAPI● Unauthenticated API endpoint● Unsanitized strcpy()→ remote code executionEx. 2: Flex Pendant (TpsStart.exe)● FTP write /command/timestampAAAAAAA…..AAAAAAA● file name > 512 bytes ~> Flex Pendant DoS
Other buffer overflows
ABBVU-DMRO-124641, ABBVU-DMRO-124645
![Page 50: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/50.jpg)
Takeaways
Mostly logical vulnerabilities
Some memory corruption
All the components blindly trust themain computer (lack of isolation)
![Page 51: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/51.jpg)
Complete attack chain (1)
![Page 52: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/52.jpg)
Complete attack chain (2)
![Page 53: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/53.jpg)
Complete attack chain (3)
![Page 54: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/54.jpg)
“Sensitive” files:● Users’ credentials and permissions● Sensitive configuration parameters (e.g., PID)● Industry secrets (e.g., workpiece parameters)
Obfuscation: bitwise XOR with a random key.Key is derived from the file name. Or from the content. Or …
File protection
![Page 55: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/55.jpg)
That’s how we implemented the attacks
![Page 56: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/56.jpg)
Attack Surface
?
![Page 57: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/57.jpg)
Flexibly programmable&
Connected(Part 2)
![Page 58: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/58.jpg)
![Page 59: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/59.jpg)
Ethernet Wireless
![Page 60: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/60.jpg)
WAN
![Page 61: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/61.jpg)
Not so many...
Remote Exposure of Industrial Robots
Search Entries Country
ABB Robotics 5 DK, SE
FANUC FTP 9 US, KR, FR, TW
Yaskawa 9 CA, JP
Kawasaki E Controller 4 DE
Mitsubishi FTP 1 ID
Overall 28 10
![Page 62: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/62.jpg)
Remote Exposure of Industrial Routers
...way many more!
Unknown which routers are actually robot-connected
![Page 63: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/63.jpg)
Typical Issues
Information Disclosure and "Fingerprintability"● Verbose banners (beyond brand or model’s name)● Detailed technical material on vendor’s website
○ Technical manual: All vendors inspected○ Firmware: 7/12 vendors
![Page 64: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/64.jpg)
Typical Issues (1)
Outdated Software Components● Application software (e.g., DropBear SSH, BusyBox)● Libraries (including crypto libraries)● Compiler & kernel● Baseband firmware
![Page 65: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/65.jpg)
Typical Issues (2)
Insecure Web Interface● Poor input sanitization● E.g., code coming straight from a "beginners" blog
![Page 66: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/66.jpg)
Bottom lineConnect your robots with care
![Page 67: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/67.jpg)
Conclusions
![Page 68: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/68.jpg)
Robots are increasingly being connected
Robot-specific class of attacks
Barrier to entry: quite high, budget-wise
Black Hat Sound Bytes
![Page 69: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/69.jpg)
Vendors are very responsive
As a community we really needto push hard for countermeasures
What should we do now?
![Page 70: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/70.jpg)
Hints on Countermeasures
Short termAttack detection and deployment hardening
Medium termSystem hardening
Long termNew standards, beyond safety issues
![Page 71: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/71.jpg)
Davide [email protected]
@_ocean
Federico [email protected]
@phretor
Marcello [email protected]
@mapogli
Papers, slides, and FAQ @ robosec.org
Questions?
![Page 72: Breaking the Laws of Robotics - paper.seebug.org Conf/Blackhat/2017_us/us... · Breaking the Laws of Robotics Attacking Industrial Robots ... USB port LAN Radio ... via a digital](https://reader036.fdocuments.us/reader036/viewer/2022081401/5b5b41ba7f8b9aa30c8dcef2/html5/thumbnails/72.jpg)
Breaking the Laws of RoboticsAttacking Industrial Robots
Davide Quarta, Marcello Pogliani, Mario Polino, Federico Maggi,Andrea M. Zanchettin, Stefano Zanero