CANCÚN, Mexico—“Give me bitcoins now, or prepare to die.”
The declaration, a clear reference to the cult classic The Princess Bride, came from an otherwise-friendly Nao robot featured in a video designed to demonstrate that, like their computer predecessors that can’t walk or roll down the street, humanoid robots like SoftBank Robotics’ Nao and Pepper are susceptible to ransomware attacks.
Lucas Apa, one of two researchers at computer security company IOActive Labs who designed the Nao hack and produced the video, says the fact that perambulating robots are vulnerable to ransomware should be a wake-up call to manufacturers and consumers alike. He presented the attack at the annual Kaspersky Security Analyst Summit (co-sponsored by Avast Software, which sponsors this site) here on Friday.
While IOActive’s research is only a proof-of-concept at this point, Apa says, it demonstrates that ostensibly cutting-edge robots, which companies increasingly expect consumers to rely on, are vulnerable to the same kinds of attacks that have been plaguing traditional computers and phones for years.
Ransomware, in particular, has surged in recent years, as hackers have learned how to effectively use it. In 2016 alone, they used ransomware attacks to extort consumers and businesses out of an estimated $1 billion.
READ MORE ON RANSOMWARE
How to avoid ransomware—or remove it
Ransomware is ‘blood in the water’ for hacker extortionists
Critical systems at heart of WannaCry’s impact
NotPetya’s lesson for infrastructure
Why ransomware increasingly targets the little guys
Humanoid “robots are computers with arms and legs. They run Android, they run Linux. The technical ransomware attack is the same,” Apa says. Robot makers could stop attacks “with basic security features like a factory reset option” akin to a phone wipe option. But thus far, he says, they aren’t.
Apa and his IOActive colleague Cesar Cerrudo, who wasn’t at the conference, published research in August showing that robots designed to interact with consumers, including Pepper and Nao, Ubtech Robotics’ Alpha 1S and Alpha 2, and Robotis’ OP2 and Thormang3, are vulnerable to hackers in part because their manufacturers are slow to fix problems—if at all.
Apa and Cerrudo documented nearly 50 security vulnerabilities, saying at the time that many were “common problems.” More than a year after the duo first reached out to the robot makers, only one vulnerability of the 50 they identified has been patched, Apa says. And the robots’ security problems go beyond software vulnerabilities.
There’s no way for owners of the robots, Apa says, to reset them to factory defaults, which usually can wipe out a ransomware infection along with any data on the device. That has to be done by an authorized technician. Without having the ability to reset the robot themselves, a robot owner, rightly fearing losing sensitive data, “could feel more pressure to pay” its ransomware demand, he adds.
Kass Dawson, the head of marketing communications at SoftBank Robotics, told The Parallax in an emailed statement that businesses relying on robots bear some of the responsibility for maintaining their security.
“When in use of Pepper, we ask to maintain the Wi-Fi network security, and also to set the robot passwords correctly. We will continue to improve our security measures on Pepper so we can counter any risks we may face,” Dawson wrote. She did not address Nao, though the two robots use the same operating system, and IOActive’s proof-of-concept ransomware attack works on both models.
IDC estimates that global investments in robotics will hit $230 billion by 2021. And if sales of SoftBank’s pricey robots are any indication, consumers around the world are becoming more and more likely to encounter a humanoid robot.
More than 2,000 businesses, including tech retail stores in California and a Pizza Hut in Singapore, have cumulatively bought more than 20,000 Peppers. Each Pepper costs about $14,000 over three years, when factoring in mandatory maintenance and insurance packages. When the first 1,000 Peppers went on sale to home consumers in Japan in 2015, they reportedly sold out in 60 seconds.
Educational and research institutions, meanwhile—some of which are focused on helping children with autism—have bought more than 10,000 Naos, each costing about $9,000.
The growing popularity of humanoid robots is going to come with serious security consequences sooner rather than later, says Dewan Chowdhury, founder and CEO of MalCrawler, a security software company that protects industrial control systems.
“The robotics industry is just like any other industry getting into consumers for the first time,” says Chowdhury, who presented on the security of industrial-use robots at the Kaspersky conference. “But you can’t just be ignorant of common security protections to make your unique product.”