Open source security and ‘hacking robots before skynet’

In IOActive’s recent white paper,” Hacking Robots Before Skynet,” the authors noted, “When you think of robots as computers with arms, legs, or wheels, they become kinetic IoT devices that, if hacked, can pose new serious threats we have never encountered before.”

This is true, of course. We know this because we have already seen the consequences, if you assume robots are simply computers programmed to perform specific tasks.

For example, drones (unmanned aerial vehicles) are a form of robots, and an attractive target for our adversaries. Taking control of a drone would certainly disrupt a military mission, and could possibly turn a military’s weapons on itself.

In fact, Iran claims to have already done the former. It’s reasonable to think the same could be done to robots having arms and legs instead of wings.

>See also: What lies ahead for open source technology in 2017?

There have also been dozens of examples of cyber attacks using less sophisticated “robots.” The Mirai botnet attack on managed DNS provider Dyn took advantage of the incredibly poor design (from a security perspective) of Internet cameras, DVR, and other devices.

In this case, the devices were used to form a botnet and attack other systems, conducting a denial of service attack that made Twitter, Etsy, and other popular sites unavailable to users. This was inconvenient to users, and likely cost revenue for Dyn customers. It was almost certainly costly for Dyn.

Reports indicate that around 8% of the web domains relying on Dyn’s managed DNS service dropped the service in the immediate aftermath of the attack.

The impact of the attack on Dyn was felt mostly in industries like entertainment and media, followed by technology. But what if the attack had been directed at first responder networks, tele-surgery, or other critical infrastructure?

How about robots with wheels instead of legs? Researchers have also proven that cars can be hacked, including steering, brakes, and the infotainment system.

Uconnect, an Internet-connected computer feature in hundreds of thousands of vehicles, controls the entertainment and navigation systems, enables phone calls, and even offers a Wi-Fi hot spot. Thanks to one vulnerable element, using the vehicle’s Uconnect system, which plugs into a cellular network, security researchers were able to gain control of the car’s entertainment system and then rewrite the firmware to send commands to critical systems like the brakes, steering, and transmission.

In a world where self-driving cars are already on the roads, this should worry everyone. Cars are among the most sophisticated machines on the planet, containing 100 million or more lines of code.

>See also: Open source technology in enterprise

The sophistication of new cars brings numerous benefits such as collision warning systems and automatic emergency braking. But with new technology comes new risks — and new opportunities for malevolence.

Automobiles are becoming increasingly intelligent, automated and most importantly, Internet-connected. This will exacerbate a problem that already exists – carmakers don’t know exactly what software is inside the vehicles they manufacture (most of the software that binds sensors and other car hardware together comes from third-parties).

That software almost certainly contains open source components with security vulnerabilities, as does nearly all software, including that used in robot technology.

As Forrester noted in their recent report on software composition analysis (The Forrester Wave™: Software Composition Analysis, Q1 2017), developers use open source components as the foundation to build their applications; creating applications using only 10% to 20% new code.

“Hacking Robots Before Skynet” stated, “Many robots use open source frameworks and libraries. One of the most popular is the Robot Operating System (ROS) used in several robots from multiple vendors. ROS suffers from many known cyber security problems, such as cleartext communication, authentication issues, and weak authorisation schemes. All of these issues make robots insecure.”

In Black Duck’s on-demand audit practice, we see this in application development every day, whether in robotics/IoT, financial services, automotive, and even cyber security applications.

Application developers leverage open source frameworks and operating systems to accelerate time to market while reducing development costs.

Pick almost any version of Apache Struts or the Spring framework and you’re going to see reported vulnerabilities, sometimes dozens of them. In fact,it is evident that hackers are actively exploiting a critical vulnerability in the Apache Struts 2 framework that allows them to take almost complete control of Web servers used by banks, government agencies, and large Internet companies.

>See also: Opening up to open source to the public

Businesses can mitigate these risks using good application security practices. This includes design decisions that would help avoid the Mirai attacks (e.g., forcing users to change default passwords) as well as better security testing.

When open source is a large part of any given application’s codebase, it becomes increasingly important to monitor which components are being used, and track security issues (over 3,000 open source vulnerabilities are disclosed each year).

Vulnerabilities in open source are particularly attractive to attackers, especially when exploits are publicly available. In the same report cited earlier, Forrester notes that, “one out of every 16 open source download requests is for a component with a known vulnerability.”

Popular open source components with known vulnerabilities present a target-rich environment for adversaries, and publicly available exploits can be used in non-targeted attacks by less skilled attackers.

Technology has transformed the way people work, live, and play and is mission-critical to nearly every organisation. Similar to other technologies, robots must be secured against dangerous security breaches.

With open source as the foundation of modern applications, often comprising as much as 90% of application code, and applications increasingly centred in cyber attackers’ crosshairs, open source risk management will be as critical to stop vulnerabilities from being used by attackers to cause serious harm to businesses and consumers.


Sourced by Mike Pittenger, vice president, security strategy, Black Duck Software

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics

Cyber Security
Open Source