SlideShare uma empresa Scribd logo

Breaking the Laws of Robotics: Attacking Industrial Robots

Speck&Tech
Speck&Tech

ABSTRACT: Industrial robots are complex cyber-physical systems used for manufacturing, and a critical component of any modern factory. These robots aren't just electromechanical devices but include complex embedded controllers, which are often interconnected with other computers in the factory network, safety systems, and to the Internet for remote monitoring and maintenance. In this scenario, industrial routers also play a key role, because they directly expose the robot's controller. Therefore, the impact of a single, simple vulnerability can grant attackers an easy entry point. The talk will discuss how remote attackers are able to attack such robots up to the point where they can alter the manufactured product, physically damage the robot, steal industry secrets, or injure humans. BIO: Stefano Zanero received a PhD in Computer Engineering from Politecnico di Milano, where he is currently a full professor with the Dipartimento di Elettronica, Informazione e Bioingegneria. His research focuses on malware analysis, cyber-physical security, and cybersecurity in general. Besides teaching “Computer Security” and “Digital Forensics and Cybercrime” at Politecnico, he has extensive speaking and training experience in Italy and abroad. He co-authored over 100 scientific papers and books. He is a Senior Member of the IEEE and the IEEE Computer Society, which has named him a Distinguished Lecturer and Distinguished Contributor; he is a lifetime senior member of the ACM, which has named him a Distinguished Speaker; and has been named a Fellow of the ISSA (Information System Security Association). Stefano is also a co-founder and chairman of Secure Network, a leading cybersecurity assessment firm, and a co-founder of BankSealer, a startup in the FinTech sector that addresses fraud detection through machine learning techniques.

Tecnologia
1 de 55
Baixar para ler offline
Breaking the laws of robotics Attacking industrial robots Stefano Zanero Politecnico di Milano Partially based upon work with present and former colleagues and students: D. Quarta, M. Pogliani, M. Polino, F. Maggi, A. Zanchettin, M. Vittone
Originally disconnected systems Now opening up to the Internet Security as an afterthought Industrial CPS traits
Production-critical systems Difficult to update Long service life and forever days Not necessarily managed by corp. IT (“IT vs OT”) Industrial CPS traits
Cyber-Physical Systems Influence the physical environment Sometimes, critical systems (safety-wise, critical infra) Industrial CPS traits
CIA triad not so important, but: ● Safety ○ people, environment, equipment ● Production continuity ○ Production plant halting ○ Ransomware (“oh, I could ransom that, too”) ● Production outcome alteration ○ → safety? Threat Scenarios
Example: additive manufacturing micro-defects dr0wned - Cyber-Physical Attack with Additive Manufacturing, Sofia Belikovetsky, Mark Yampolskiy, Jinghui Toh, Yuval Elovici, WOOT ‘17
Industrial robots?
Screenshot of teach pendant + formatted code snippet on the side 1) Robots are flexibly programmable...
… and the program doesn’t say it all
2) Robots are extensible & connected source: http://developercenter.robotstudio.com source: abb.com source: https://universal-robots.com/plus
3) Robots are (sometimes) collaborative
We assess attack impactby reasoning on requirements
Requirements Safety I/O Accuracy Integrity
violating any of these requirements via a digital vector Requirements → Robot-Specific Attack Safety I/O Accuracy Integrity
Control Loop or Calibration Tampering Safety Accuracy Integrity Attack 2
Production Logic Tampering Safety Accuracy Integrity Attack 3
Displayed or Actual State Alteration Safety Accuracy Integrity Attacks 4+5 Displayed or Actual State Alteration
Displayed State Alteration Example Teach Pendant Malicious DLL
Compromising robot controllers
Attack surface USB port LAN Radio Services: Well-known (FTP) + custom (RobAPI)
Plenty of vulnerabilities ● BOF leading to RCE ABBVU-DMRO-124641 ● BOF in FlexPendant ABBVU-DMRO-124645 ● BOF in /command endpoint ABBVU-DMRO-128238 ● Command Injection ABBVU-DMRO-124642 ● Authentication bypass ABBVU-DMRO-124644
Takeaways Some memory corruption Mostly logical vulnerabilities Unprotected sensitive files (e.g. config) All the components blindly trust the main computer (lack of isolation)
Full Controller Exploitation
That’s how we implemented the attacks
What’s the Attack Surface?
Robots are meant to be connected
Connected Robots: Why? ● Now: monitoring & maintenance ISO 10218-2:2011 ● Enter the I4.0: active production planning/control ○ some vendors expose REST-like APIs ○ … up to the use of mobile devices for commands ● Future: app/library stores ○ “Industrial” version of robotappstore.com?
More in general: the “smart factory” ecosystem
ICS on the Internet
Not so many... Remote Exposure of Industrial Robots Search Entries Country ABB Robotics 5 DK, SE FANUC FTP 9 US, KR, FR, TW Yaskawa 9 CA, JP Kawasaki E Controller 4 DE Mitsubishi FTP 1 ID Overall 28 10
Remote Exposure of Industrial Routers ...way more! Unknown which routers are actually robot-connected
Trivially “Fingerprintable” (banners, firmware, manuals) Outdated Software Components Insecure Web Interface Industrial Routers: Typical Issues Cut & paste
Proprietary Languages Language Vendor RAPID ABB KRL KUKA MELFA BASIC Mitsubishi AS Kawasaki PDL2 COMAU PacScript DENSO URScript Universal-Robot KAREL FANUC
The DSL rabbithole
Vendor File System Directory Listing ABB ✔ ✔ KUKA ✔ Mitsubishi ✔ Kawasaki COMAU ✔ Indirect DENSO Universal-Robot FANUC ✔ ✔ Features: Handle File Resources
Features: Load new Code at Runtime Vendor File System Directory Listing Load Module From File Call By Name ABB ✔ ✔ ✔ ✔ KUKA ✔ Mitsubishi ✔ Kawasaki COMAU ✔ Indirect ✔ ✔ DENSO ✔ ✔ Universal-Robot FANUC ✔ ✔ ✔ ✔
Features: Network Communication Vendor File System Directory Listing Load Module From File Call By Name Communication ABB ✔ ✔ ✔ ✔ ✔ KUKA ✔ ✔ Mitsubishi ✔ ✔ Kawasaki ✔ COMAU ✔ Indirect ✔ ✔ ✔ DENSO ✔ ✔ ✔ Universal-Robot ✔ FANUC ✔ ✔ ✔ ✔ ✔
We Asked Automation Engineers... What language features do you use when programming robots?
We Found out that… •Developers can introduce vulnerabilities that can be exploited • Yes, we found vulnerable code published on GitHub •Threat actors can abuse the language features to write malware • Yes, we were able to write a network-capable, self-spreading malware dropper
Example: a vulnerable web server in RAPID
Example Web server root Robot controller Secrets stolen Outside the root
Sources and Sinks Attacker-controlled input concrete impact sensitive sources sensitive sinks File Inbound communication (e.g., network) Teach Pendant (UI) Robot Movement File Handling (e.g., read) File Modification (e.g., write configuration) Call by Name
1 2 3 4 We built an analyzer for (some) DSL CFG Generation Dataflow Analysis Task program’s source code Parsing RAPID parser KRL parser ... MoveJ point0 WaitTime 4 MoveL point1 WaitTime 5 ... ICFG Generatio n Potential Vulnerabilities Potentially Abused Features Insecure Patterns & Malicious Patterns
Detection Results •Hard to find public code (it’s intellectual property) •100 RAPID and KRL files on public repo (e.g., GitHub and GitLab) Vulnerability Projects Files Root Cause Network → Remote Function Exec 2 2 Dynamic code loading Network → File Access 1 4 Unfiltered open file Network → Arbitrary Movement 13 34 Unrestricted Move Joint or Move to point Detection Errors 2 12 Interrupts
•Exchange files via network Are These Languages Good to Write Malware? Vendor File System Directory Listing Load Module From File Call By Name Communication ABB ✔ ✔ ✔ ✔ ✔ KUKA ✔ ✔ Mitsubishi ✔ ✔ Kawasaki ✔ COMAU ✔ Indirect ✔ ✔ ✔ DENSO ✔ ✔ ✔ Universal-Robot ✔ FANUC ✔ ✔ ✔ ✔ ✔
•Load or send data via network •Jump to code available at runtime Are These Languages Good to Write Malware? Vendor File System Directory Listing Load Module From File Call By Name ABB ✔ ✔ ✔ ✔ KUKA ✔ Mitsubishi ✔ Kawasaki COMAU ✔ Indirect ✔ ✔ DENSO ✔ ✔ Universal-Robot FANUC ✔ ✔ ✔ ✔
•Load or send data via network •Jump to code available at runtime •Scan the network for targets Are These Languages Good to Write Malware? Vendor Communication ABB ✔ KUKA ✔ Mitsubishi ✔ Kawasaki ✔ COMAU ✔ DENSO ✔ Universal-Robot ✔ FANUC ✔
•Load or send data via network •Jump to code available at runtime •Scan the network for targets •Turing-complete language Are These Languages Good to Write Malware?
Conclusions
Manufacturing systems increasingly connected Industrial-specific classes of attacks Domain-specific languages vulnerabilities Cooperative robotics challenges Conclusions
Stefano Zanero stefano.zanero@polimi.it @raistolo For further details, scientific papers, and more: http://robosec.org Questions?

Recomendados

IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
Cysinfo Cyber Security Community
 
The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017
Jian-Hong Pan
 
Open Source IoT Project Flogo - Introduction, Overview and Architecture
Open Source IoT Project Flogo - Introduction, Overview and ArchitectureOpen Source IoT Project Flogo - Introduction, Overview and Architecture
Open Source IoT Project Flogo - Introduction, Overview and Architecture
Kai Wähner
 
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdfNXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
ssuser57b3e5
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 
Attacking Proprietary Android Vendor Customizations
Attacking Proprietary Android Vendor CustomizationsAttacking Proprietary Android Vendor Customizations
Attacking Proprietary Android Vendor Customizations
Roberto Natella
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to Chat
Duo Security
 
Analyzing Vulnerabilities in the Internet of Things
Analyzing Vulnerabilities in the Internet of ThingsAnalyzing Vulnerabilities in the Internet of Things
Analyzing Vulnerabilities in the Internet of Things
Ike Clinton
 

Recomendados

IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
Cysinfo Cyber Security Community
 
The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017
Jian-Hong Pan
 
Open Source IoT Project Flogo - Introduction, Overview and Architecture
Open Source IoT Project Flogo - Introduction, Overview and ArchitectureOpen Source IoT Project Flogo - Introduction, Overview and Architecture
Open Source IoT Project Flogo - Introduction, Overview and Architecture
Kai Wähner
 
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdfNXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
ssuser57b3e5
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 
Attacking Proprietary Android Vendor Customizations
Attacking Proprietary Android Vendor CustomizationsAttacking Proprietary Android Vendor Customizations
Attacking Proprietary Android Vendor Customizations
Roberto Natella
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to Chat
Duo Security
 
Analyzing Vulnerabilities in the Internet of Things
Analyzing Vulnerabilities in the Internet of ThingsAnalyzing Vulnerabilities in the Internet of Things
Analyzing Vulnerabilities in the Internet of Things
Ike Clinton
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesEnterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Alex Senkevitch
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
lior mazor
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Maksim Shudrak
 
Resin.io overview (2016 July)
Resin.io overview (2016 July)Resin.io overview (2016 July)
Resin.io overview (2016 July)
Balena
 
Track 4 session 6 - st dev con 2016 - samsung artik
Track 4 session 6 - st dev con 2016 - samsung artikTrack 4 session 6 - st dev con 2016 - samsung artik
Track 4 session 6 - st dev con 2016 - samsung artik
ST_World
 
IoT and the Role of Platforms
IoT and the Role of PlatformsIoT and the Role of Platforms
IoT and the Role of Platforms
TiE Bangalore
 
Why Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceWhy Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD Workforce
Global Knowledge Training
 
Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers" Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers"
shawn_merdinger
 
Deep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloudDeep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloud
sparkfabrik
 
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoTInria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Stéphanie Roger
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st SessionBeginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
veerababu penugonda(Mr-IoT)
 
FIWARE Wednesday Webinars - How to Develop FIWARE NGSI Interfaces for Robots
FIWARE Wednesday Webinars - How to Develop FIWARE NGSI Interfaces for RobotsFIWARE Wednesday Webinars - How to Develop FIWARE NGSI Interfaces for Robots
FIWARE Wednesday Webinars - How to Develop FIWARE NGSI Interfaces for Robots
FIWARE
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
Felipe Prado
 
The internet of things in now , see how golang is a part of this evolution
The internet of things in now , see how golang is a part of this evolutionThe internet of things in now , see how golang is a part of this evolution
The internet of things in now , see how golang is a part of this evolution
Yoni Davidson
 
Going Beyond the Device Heart Beat
Going Beyond the Device Heart BeatGoing Beyond the Device Heart Beat
Going Beyond the Device Heart Beat
Balwinder Kaur
 
Flogo - A Golang-powered Open Source IoT Integration Framework (Gophercon)
Flogo - A Golang-powered Open Source IoT Integration Framework (Gophercon)Flogo - A Golang-powered Open Source IoT Integration Framework (Gophercon)
Flogo - A Golang-powered Open Source IoT Integration Framework (Gophercon)
Kai Wähner
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
Santhosh Kumar
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
Iftach Ian Amit
 
aibo introduction at ROSCon2018@Madrid
aibo introduction at ROSCon2018@Madridaibo introduction at ROSCon2018@Madrid
aibo introduction at ROSCon2018@Madrid
Tomoya Fujita
 
Mainflux - Hyperscalable Unified IoT Platform
Mainflux - Hyperscalable Unified IoT PlatformMainflux - Hyperscalable Unified IoT Platform
Mainflux - Hyperscalable Unified IoT Platform
Sasa Klopanovic
 
What should 6G be? - 6G: bridging gaps, connecting futures
What should 6G be? - 6G: bridging gaps, connecting futuresWhat should 6G be? - 6G: bridging gaps, connecting futures
What should 6G be? - 6G: bridging gaps, connecting futures
Speck&Tech
 
Creare il sangue artificiale: "buon sangue non mente"
Creare il sangue artificiale: "buon sangue non mente"Creare il sangue artificiale: "buon sangue non mente"
Creare il sangue artificiale: "buon sangue non mente"
Speck&Tech
 

Mais conteúdo relacionado

Semelhante a Breaking the Laws of Robotics: Attacking Industrial Robots

Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesEnterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Alex Senkevitch
 
Why Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceWhy Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD Workforce
Global Knowledge Training
 
Deep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloudDeep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloud
sparkfabrik
 
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoTInria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Stéphanie Roger
 
The internet of things in now , see how golang is a part of this evolution
The internet of things in now , see how golang is a part of this evolutionThe internet of things in now , see how golang is a part of this evolution
The internet of things in now , see how golang is a part of this evolution
Yoni Davidson
 
Flogo - A Golang-powered Open Source IoT Integration Framework (Gophercon)
Flogo - A Golang-powered Open Source IoT Integration Framework (Gophercon)Flogo - A Golang-powered Open Source IoT Integration Framework (Gophercon)
Flogo - A Golang-powered Open Source IoT Integration Framework (Gophercon)
Kai Wähner
 
Mainflux - Hyperscalable Unified IoT Platform
Mainflux - Hyperscalable Unified IoT PlatformMainflux - Hyperscalable Unified IoT Platform
Mainflux - Hyperscalable Unified IoT Platform
Sasa Klopanovic
 

Semelhante a Breaking the Laws of Robotics: Attacking Industrial Robots (20)

Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesEnterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
 
Resin.io overview (2016 July)
Resin.io overview (2016 July)Resin.io overview (2016 July)
Resin.io overview (2016 July)
 
Track 4 session 6 - st dev con 2016 - samsung artik
Track 4 session 6 - st dev con 2016 - samsung artikTrack 4 session 6 - st dev con 2016 - samsung artik
Track 4 session 6 - st dev con 2016 - samsung artik
 
IoT and the Role of Platforms
IoT and the Role of PlatformsIoT and the Role of Platforms
IoT and the Role of Platforms
 
Why Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceWhy Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD Workforce
 
Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers" Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers"
 
Deep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloudDeep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloud
 
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoTInria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st SessionBeginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
 
FIWARE Wednesday Webinars - How to Develop FIWARE NGSI Interfaces for Robots
FIWARE Wednesday Webinars - How to Develop FIWARE NGSI Interfaces for RobotsFIWARE Wednesday Webinars - How to Develop FIWARE NGSI Interfaces for Robots
FIWARE Wednesday Webinars - How to Develop FIWARE NGSI Interfaces for Robots
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
 
The internet of things in now , see how golang is a part of this evolution
The internet of things in now , see how golang is a part of this evolutionThe internet of things in now , see how golang is a part of this evolution
The internet of things in now , see how golang is a part of this evolution
 
Going Beyond the Device Heart Beat
Going Beyond the Device Heart BeatGoing Beyond the Device Heart Beat
Going Beyond the Device Heart Beat
 
Flogo - A Golang-powered Open Source IoT Integration Framework (Gophercon)
Flogo - A Golang-powered Open Source IoT Integration Framework (Gophercon)Flogo - A Golang-powered Open Source IoT Integration Framework (Gophercon)
Flogo - A Golang-powered Open Source IoT Integration Framework (Gophercon)
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
 
aibo introduction at ROSCon2018@Madrid
aibo introduction at ROSCon2018@Madridaibo introduction at ROSCon2018@Madrid
aibo introduction at ROSCon2018@Madrid
 
Mainflux - Hyperscalable Unified IoT Platform
Mainflux - Hyperscalable Unified IoT PlatformMainflux - Hyperscalable Unified IoT Platform
Mainflux - Hyperscalable Unified IoT Platform
 

Mais de Speck&Tech

What should 6G be? - 6G: bridging gaps, connecting futures
What should 6G be? - 6G: bridging gaps, connecting futuresWhat should 6G be? - 6G: bridging gaps, connecting futures
What should 6G be? - 6G: bridging gaps, connecting futures
Speck&Tech
 
Creare il sangue artificiale: "buon sangue non mente"
Creare il sangue artificiale: "buon sangue non mente"Creare il sangue artificiale: "buon sangue non mente"
Creare il sangue artificiale: "buon sangue non mente"
Speck&Tech
 
Delve into the world of the human microbiome and metagenomics
Delve into the world of the human microbiome and metagenomicsDelve into the world of the human microbiome and metagenomics
Delve into the world of the human microbiome and metagenomics
Speck&Tech
 
Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...
Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...
Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...
Speck&Tech
 
Monitorare una flotta di autobus: architettura di un progetto di acquisizione...
Monitorare una flotta di autobus: architettura di un progetto di acquisizione...Monitorare una flotta di autobus: architettura di un progetto di acquisizione...
Monitorare una flotta di autobus: architettura di un progetto di acquisizione...
Speck&Tech
 
Why LLMs should be handled with care
Why LLMs should be handled with careWhy LLMs should be handled with care
Why LLMs should be handled with care
Speck&Tech
 
Building intelligent applications with Large Language Models
Building intelligent applications with Large Language ModelsBuilding intelligent applications with Large Language Models
Building intelligent applications with Large Language Models
Speck&Tech
 
Give your Web App superpowers by using GPUs
Give your Web App superpowers by using GPUsGive your Web App superpowers by using GPUs
Give your Web App superpowers by using GPUs
Speck&Tech
 
From leaf to orbit: exploring forests with technology
From leaf to orbit: exploring forests with technologyFrom leaf to orbit: exploring forests with technology
From leaf to orbit: exploring forests with technology
Speck&Tech
 
Behind the scenes of our everyday Internet: the role of an IXP like MIX
Behind the scenes of our everyday Internet: the role of an IXP like MIXBehind the scenes of our everyday Internet: the role of an IXP like MIX
Behind the scenes of our everyday Internet: the role of an IXP like MIX
Speck&Tech
 
Architecting a 35 PB distributed parallel file system for science
Architecting a 35 PB distributed parallel file system for scienceArchitecting a 35 PB distributed parallel file system for science
Architecting a 35 PB distributed parallel file system for science
Speck&Tech
 
Truck planning: how to certify the right route
Truck planning: how to certify the right routeTruck planning: how to certify the right route
Truck planning: how to certify the right route
Speck&Tech
 
Break it up! 5G, cruise control, autonomous vehicle cooperation, and bending ...
Break it up! 5G, cruise control, autonomous vehicle cooperation, and bending ...Break it up! 5G, cruise control, autonomous vehicle cooperation, and bending ...
Break it up! 5G, cruise control, autonomous vehicle cooperation, and bending ...
Speck&Tech
 

Mais de Speck&Tech (20)

What should 6G be? - 6G: bridging gaps, connecting futures
What should 6G be? - 6G: bridging gaps, connecting futuresWhat should 6G be? - 6G: bridging gaps, connecting futures
What should 6G be? - 6G: bridging gaps, connecting futures
 
Creare il sangue artificiale: "buon sangue non mente"
Creare il sangue artificiale: "buon sangue non mente"Creare il sangue artificiale: "buon sangue non mente"
Creare il sangue artificiale: "buon sangue non mente"
 
AWS: gestire la scalabilità su larga scala
AWS: gestire la scalabilità su larga scalaAWS: gestire la scalabilità su larga scala
AWS: gestire la scalabilità su larga scala
 
Praticamente... AWS - Amazon Web Services
Praticamente... AWS - Amazon Web ServicesPraticamente... AWS - Amazon Web Services
Praticamente... AWS - Amazon Web Services
 
Data Sense-making: navigating the world through the lens of information design
Data Sense-making: navigating the world through the lens of information designData Sense-making: navigating the world through the lens of information design
Data Sense-making: navigating the world through the lens of information design
 
Data Activism: data as rhetoric, data as power
Data Activism: data as rhetoric, data as powerData Activism: data as rhetoric, data as power
Data Activism: data as rhetoric, data as power
 
Delve into the world of the human microbiome and metagenomics
Delve into the world of the human microbiome and metagenomicsDelve into the world of the human microbiome and metagenomics
Delve into the world of the human microbiome and metagenomics
 
Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...
Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...
Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...
 
Monitorare una flotta di autobus: architettura di un progetto di acquisizione...
Monitorare una flotta di autobus: architettura di un progetto di acquisizione...Monitorare una flotta di autobus: architettura di un progetto di acquisizione...
Monitorare una flotta di autobus: architettura di un progetto di acquisizione...
 
Why LLMs should be handled with care
Why LLMs should be handled with careWhy LLMs should be handled with care
Why LLMs should be handled with care
 
Building intelligent applications with Large Language Models
Building intelligent applications with Large Language ModelsBuilding intelligent applications with Large Language Models
Building intelligent applications with Large Language Models
 
Privacy in the era of quantum computers
Privacy in the era of quantum computersPrivacy in the era of quantum computers
Privacy in the era of quantum computers
 
Machine learning with quantum computers
Machine learning with quantum computersMachine learning with quantum computers
Machine learning with quantum computers
 
Give your Web App superpowers by using GPUs
Give your Web App superpowers by using GPUsGive your Web App superpowers by using GPUs
Give your Web App superpowers by using GPUs
 
From leaf to orbit: exploring forests with technology
From leaf to orbit: exploring forests with technologyFrom leaf to orbit: exploring forests with technology
From leaf to orbit: exploring forests with technology
 
Innovating Wood
Innovating WoodInnovating Wood
Innovating Wood
 
Behind the scenes of our everyday Internet: the role of an IXP like MIX
Behind the scenes of our everyday Internet: the role of an IXP like MIXBehind the scenes of our everyday Internet: the role of an IXP like MIX
Behind the scenes of our everyday Internet: the role of an IXP like MIX
 
Architecting a 35 PB distributed parallel file system for science
Architecting a 35 PB distributed parallel file system for scienceArchitecting a 35 PB distributed parallel file system for science
Architecting a 35 PB distributed parallel file system for science
 
Truck planning: how to certify the right route
Truck planning: how to certify the right routeTruck planning: how to certify the right route
Truck planning: how to certify the right route
 
Break it up! 5G, cruise control, autonomous vehicle cooperation, and bending ...
Break it up! 5G, cruise control, autonomous vehicle cooperation, and bending ...Break it up! 5G, cruise control, autonomous vehicle cooperation, and bending ...
Break it up! 5G, cruise control, autonomous vehicle cooperation, and bending ...
 

Último

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 

Último (20)

FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 

Breaking the Laws of Robotics: Attacking Industrial Robots

  • 1. Breaking the laws of robotics Attacking industrial robots Stefano Zanero Politecnico di Milano Partially based upon work with present and former colleagues and students: D. Quarta, M. Pogliani, M. Polino, F. Maggi, A. Zanchettin, M. Vittone
  • 2. Originally disconnected systems Now opening up to the Internet Security as an afterthought Industrial CPS traits
  • 3. Production-critical systems Difficult to update Long service life and forever days Not necessarily managed by corp. IT (“IT vs OT”) Industrial CPS traits
  • 4. Cyber-Physical Systems Influence the physical environment Sometimes, critical systems (safety-wise, critical infra) Industrial CPS traits
  • 5. CIA triad not so important, but: ● Safety ○ people, environment, equipment ● Production continuity ○ Production plant halting ○ Ransomware (“oh, I could ransom that, too”) ● Production outcome alteration ○ → safety? Threat Scenarios
  • 6. Example: additive manufacturing micro-defects dr0wned - Cyber-Physical Attack with Additive Manufacturing, Sofia Belikovetsky, Mark Yampolskiy, Jinghui Toh, Yuval Elovici, WOOT ‘17
  • 8.
  • 9. Screenshot of teach pendant + formatted code snippet on the side 1) Robots are flexibly programmable...
  • 10. … and the program doesn’t say it all
  • 11. 2) Robots are extensible & connected source: http://developercenter.robotstudio.com source: abb.com source: https://universal-robots.com/plus
  • 12. 3) Robots are (sometimes) collaborative
  • 15. violating any of these requirements via a digital vector Requirements → Robot-Specific Attack Safety I/O Accuracy Integrity
  • 16. Control Loop or Calibration Tampering Safety Accuracy Integrity Attack 2
  • 18. Displayed or Actual State Alteration Safety Accuracy Integrity Attacks 4+5 Displayed or Actual State Alteration
  • 19. Displayed State Alteration Example Teach Pendant Malicious DLL
  • 21.
  • 23. Plenty of vulnerabilities ● BOF leading to RCE ABBVU-DMRO-124641 ● BOF in FlexPendant ABBVU-DMRO-124645 ● BOF in /command endpoint ABBVU-DMRO-128238 ● Command Injection ABBVU-DMRO-124642 ● Authentication bypass ABBVU-DMRO-124644
  • 24. Takeaways Some memory corruption Mostly logical vulnerabilities Unprotected sensitive files (e.g. config) All the components blindly trust the main computer (lack of isolation)
  • 26. That’s how we implemented the attacks
  • 28. Robots are meant to be connected
  • 29. Connected Robots: Why? ● Now: monitoring & maintenance ISO 10218-2:2011 ● Enter the I4.0: active production planning/control ○ some vendors expose REST-like APIs ○ … up to the use of mobile devices for commands ● Future: app/library stores ○ “Industrial” version of robotappstore.com?
  • 30. More in general: the “smart factory” ecosystem
  • 31. ICS on the Internet
  • 32. Not so many... Remote Exposure of Industrial Robots Search Entries Country ABB Robotics 5 DK, SE FANUC FTP 9 US, KR, FR, TW Yaskawa 9 CA, JP Kawasaki E Controller 4 DE Mitsubishi FTP 1 ID Overall 28 10
  • 33. Remote Exposure of Industrial Routers ...way more! Unknown which routers are actually robot-connected
  • 34. Trivially “Fingerprintable” (banners, firmware, manuals) Outdated Software Components Insecure Web Interface Industrial Routers: Typical Issues Cut & paste
  • 35. Proprietary Languages Language Vendor RAPID ABB KRL KUKA MELFA BASIC Mitsubishi AS Kawasaki PDL2 COMAU PacScript DENSO URScript Universal-Robot KAREL FANUC
  • 37. Vendor File System Directory Listing ABB ✔ ✔ KUKA ✔ Mitsubishi ✔ Kawasaki COMAU ✔ Indirect DENSO Universal-Robot FANUC ✔ ✔ Features: Handle File Resources
  • 38. Features: Load new Code at Runtime Vendor File System Directory Listing Load Module From File Call By Name ABB ✔ ✔ ✔ ✔ KUKA ✔ Mitsubishi ✔ Kawasaki COMAU ✔ Indirect ✔ ✔ DENSO ✔ ✔ Universal-Robot FANUC ✔ ✔ ✔ ✔
  • 39. Features: Network Communication Vendor File System Directory Listing Load Module From File Call By Name Communication ABB ✔ ✔ ✔ ✔ ✔ KUKA ✔ ✔ Mitsubishi ✔ ✔ Kawasaki ✔ COMAU ✔ Indirect ✔ ✔ ✔ DENSO ✔ ✔ ✔ Universal-Robot ✔ FANUC ✔ ✔ ✔ ✔ ✔
  • 40. We Asked Automation Engineers... What language features do you use when programming robots?
  • 41. We Found out that… •Developers can introduce vulnerabilities that can be exploited • Yes, we found vulnerable code published on GitHub •Threat actors can abuse the language features to write malware • Yes, we were able to write a network-capable, self-spreading malware dropper
  • 42. Example: a vulnerable web server in RAPID
  • 44. Sources and Sinks Attacker-controlled input concrete impact sensitive sources sensitive sinks File Inbound communication (e.g., network) Teach Pendant (UI) Robot Movement File Handling (e.g., read) File Modification (e.g., write configuration) Call by Name
  • 45. 1 2 3 4 We built an analyzer for (some) DSL CFG Generation Dataflow Analysis Task program’s source code Parsing RAPID parser KRL parser ... MoveJ point0 WaitTime 4 MoveL point1 WaitTime 5 ... ICFG Generatio n Potential Vulnerabilities Potentially Abused Features Insecure Patterns & Malicious Patterns
  • 46. Detection Results •Hard to find public code (it’s intellectual property) •100 RAPID and KRL files on public repo (e.g., GitHub and GitLab) Vulnerability Projects Files Root Cause Network → Remote Function Exec 2 2 Dynamic code loading Network → File Access 1 4 Unfiltered open file Network → Arbitrary Movement 13 34 Unrestricted Move Joint or Move to point Detection Errors 2 12 Interrupts
  • 47. •Exchange files via network Are These Languages Good to Write Malware? Vendor File System Directory Listing Load Module From File Call By Name Communication ABB ✔ ✔ ✔ ✔ ✔ KUKA ✔ ✔ Mitsubishi ✔ ✔ Kawasaki ✔ COMAU ✔ Indirect ✔ ✔ ✔ DENSO ✔ ✔ ✔ Universal-Robot ✔ FANUC ✔ ✔ ✔ ✔ ✔
  • 48. •Load or send data via network •Jump to code available at runtime Are These Languages Good to Write Malware? Vendor File System Directory Listing Load Module From File Call By Name ABB ✔ ✔ ✔ ✔ KUKA ✔ Mitsubishi ✔ Kawasaki COMAU ✔ Indirect ✔ ✔ DENSO ✔ ✔ Universal-Robot FANUC ✔ ✔ ✔ ✔
  • 49. •Load or send data via network •Jump to code available at runtime •Scan the network for targets Are These Languages Good to Write Malware? Vendor Communication ABB ✔ KUKA ✔ Mitsubishi ✔ Kawasaki ✔ COMAU ✔ DENSO ✔ Universal-Robot ✔ FANUC ✔
  • 50. •Load or send data via network •Jump to code available at runtime •Scan the network for targets •Turing-complete language Are These Languages Good to Write Malware?
  • 51.
  • 52.
  • 54. Manufacturing systems increasingly connected Industrial-specific classes of attacks Domain-specific languages vulnerabilities Cooperative robotics challenges Conclusions
  • 55. Stefano Zanero stefano.zanero@polimi.it @raistolo For further details, scientific papers, and more: http://robosec.org Questions?