Breaking the Laws of Robotics: Attacking Industrial Robots

Speck&Tech
Speck&TechSpeck&Tech
Breaking the laws of robotics Attacking industrial robots Stefano Zanero Politecnico di Milano Partially based upon work with present and former colleagues and students: D. Quarta, M. Pogliani, M. Polino, F. Maggi, A. Zanchettin, M. Vittone
Originally disconnected systems Now opening up to the Internet Security as an afterthought Industrial CPS traits
Production-critical systems Difficult to update Long service life and forever days Not necessarily managed by corp. IT (“IT vs OT”) Industrial CPS traits
Cyber-Physical Systems Influence the physical environment Sometimes, critical systems (safety-wise, critical infra) Industrial CPS traits
CIA triad not so important, but: ● Safety ○ people, environment, equipment ● Production continuity ○ Production plant halting ○ Ransomware (“oh, I could ransom that, too”) ● Production outcome alteration ○ → safety? Threat Scenarios
Example: additive manufacturing micro-defects dr0wned - Cyber-Physical Attack with Additive Manufacturing, Sofia Belikovetsky, Mark Yampolskiy, Jinghui Toh, Yuval Elovici, WOOT ‘17
Industrial robots?
Breaking the Laws of Robotics: Attacking Industrial Robots
Screenshot of teach pendant + formatted code snippet on the side 1) Robots are flexibly programmable...
… and the program doesn’t say it all
2) Robots are extensible & connected source: http://developercenter.robotstudio.com source: abb.com source: https://universal-robots.com/plus
3) Robots are (sometimes) collaborative
We assess attack impactby reasoning on requirements
Requirements Safety I/O Accuracy Integrity
violating any of these requirements via a digital vector Requirements → Robot-Specific Attack Safety I/O Accuracy Integrity
Control Loop or Calibration Tampering Safety Accuracy Integrity Attack 2
Production Logic Tampering Safety Accuracy Integrity Attack 3
Displayed or Actual State Alteration Safety Accuracy Integrity Attacks 4+5 Displayed or Actual State Alteration
Displayed State Alteration Example Teach Pendant Malicious DLL
Compromising robot controllers
Breaking the Laws of Robotics: Attacking Industrial Robots
Attack surface USB port LAN Radio Services: Well-known (FTP) + custom (RobAPI)
Plenty of vulnerabilities ● BOF leading to RCE ABBVU-DMRO-124641 ● BOF in FlexPendant ABBVU-DMRO-124645 ● BOF in /command endpoint ABBVU-DMRO-128238 ● Command Injection ABBVU-DMRO-124642 ● Authentication bypass ABBVU-DMRO-124644
Takeaways Some memory corruption Mostly logical vulnerabilities Unprotected sensitive files (e.g. config) All the components blindly trust the main computer (lack of isolation)
Full Controller Exploitation
That’s how we implemented the attacks
What’s the Attack Surface?
Robots are meant to be connected
Connected Robots: Why? ● Now: monitoring & maintenance ISO 10218-2:2011 ● Enter the I4.0: active production planning/control ○ some vendors expose REST-like APIs ○ … up to the use of mobile devices for commands ● Future: app/library stores ○ “Industrial” version of robotappstore.com?
More in general: the “smart factory” ecosystem
ICS on the Internet
Not so many... Remote Exposure of Industrial Robots Search Entries Country ABB Robotics 5 DK, SE FANUC FTP 9 US, KR, FR, TW Yaskawa 9 CA, JP Kawasaki E Controller 4 DE Mitsubishi FTP 1 ID Overall 28 10
Remote Exposure of Industrial Routers ...way more! Unknown which routers are actually robot-connected
Trivially “Fingerprintable” (banners, firmware, manuals) Outdated Software Components Insecure Web Interface Industrial Routers: Typical Issues Cut & paste
Proprietary Languages Language Vendor RAPID ABB KRL KUKA MELFA BASIC Mitsubishi AS Kawasaki PDL2 COMAU PacScript DENSO URScript Universal-Robot KAREL FANUC
The DSL rabbithole
Vendor File System Directory Listing ABB ✔ ✔ KUKA ✔ Mitsubishi ✔ Kawasaki COMAU ✔ Indirect DENSO Universal-Robot FANUC ✔ ✔ Features: Handle File Resources
Features: Load new Code at Runtime Vendor File System Directory Listing Load Module From File Call By Name ABB ✔ ✔ ✔ ✔ KUKA ✔ Mitsubishi ✔ Kawasaki COMAU ✔ Indirect ✔ ✔ DENSO ✔ ✔ Universal-Robot FANUC ✔ ✔ ✔ ✔
Features: Network Communication Vendor File System Directory Listing Load Module From File Call By Name Communication ABB ✔ ✔ ✔ ✔ ✔ KUKA ✔ ✔ Mitsubishi ✔ ✔ Kawasaki ✔ COMAU ✔ Indirect ✔ ✔ ✔ DENSO ✔ ✔ ✔ Universal-Robot ✔ FANUC ✔ ✔ ✔ ✔ ✔
We Asked Automation Engineers... What language features do you use when programming robots?
We Found out that… •Developers can introduce vulnerabilities that can be exploited • Yes, we found vulnerable code published on GitHub •Threat actors can abuse the language features to write malware • Yes, we were able to write a network-capable, self-spreading malware dropper
Example: a vulnerable web server in RAPID
Example Web server root Robot controller Secrets stolen Outside the root
Sources and Sinks Attacker-controlled input concrete impact sensitive sources sensitive sinks File Inbound communication (e.g., network) Teach Pendant (UI) Robot Movement File Handling (e.g., read) File Modification (e.g., write configuration) Call by Name
1 2 3 4 We built an analyzer for (some) DSL CFG Generation Dataflow Analysis Task program’s source code Parsing RAPID parser KRL parser ... MoveJ point0 WaitTime 4 MoveL point1 WaitTime 5 ... ICFG Generatio n Potential Vulnerabilities Potentially Abused Features Insecure Patterns & Malicious Patterns
Detection Results •Hard to find public code (it’s intellectual property) •100 RAPID and KRL files on public repo (e.g., GitHub and GitLab) Vulnerability Projects Files Root Cause Network → Remote Function Exec 2 2 Dynamic code loading Network → File Access 1 4 Unfiltered open file Network → Arbitrary Movement 13 34 Unrestricted Move Joint or Move to point Detection Errors 2 12 Interrupts
•Exchange files via network Are These Languages Good to Write Malware? Vendor File System Directory Listing Load Module From File Call By Name Communication ABB ✔ ✔ ✔ ✔ ✔ KUKA ✔ ✔ Mitsubishi ✔ ✔ Kawasaki ✔ COMAU ✔ Indirect ✔ ✔ ✔ DENSO ✔ ✔ ✔ Universal-Robot ✔ FANUC ✔ ✔ ✔ ✔ ✔
•Load or send data via network •Jump to code available at runtime Are These Languages Good to Write Malware? Vendor File System Directory Listing Load Module From File Call By Name ABB ✔ ✔ ✔ ✔ KUKA ✔ Mitsubishi ✔ Kawasaki COMAU ✔ Indirect ✔ ✔ DENSO ✔ ✔ Universal-Robot FANUC ✔ ✔ ✔ ✔
•Load or send data via network •Jump to code available at runtime •Scan the network for targets Are These Languages Good to Write Malware? Vendor Communication ABB ✔ KUKA ✔ Mitsubishi ✔ Kawasaki ✔ COMAU ✔ DENSO ✔ Universal-Robot ✔ FANUC ✔
•Load or send data via network •Jump to code available at runtime •Scan the network for targets •Turing-complete language Are These Languages Good to Write Malware?
Breaking the Laws of Robotics: Attacking Industrial Robots
Breaking the Laws of Robotics: Attacking Industrial Robots
Conclusions
Manufacturing systems increasingly connected Industrial-specific classes of attacks Domain-specific languages vulnerabilities Cooperative robotics challenges Conclusions
Stefano Zanero stefano.zanero@polimi.it @raistolo For further details, scientific papers, and more: http://robosec.org Questions?
1 de 55

Breaking the Laws of Robotics: Attacking Industrial Robots

Baixar para ler offline
Tecnologia

ABSTRACT: Industrial robots are complex cyber-physical systems used for manufacturing, and a critical component of any modern factory. These robots aren't just electromechanical devices but include complex embedded controllers, which are often interconnected with other computers in the factory network, safety systems, and to the Internet for remote monitoring and maintenance. In this scenario, industrial routers also play a key role, because they directly expose the robot's controller. Therefore, the impact of a single, simple vulnerability can grant attackers an easy entry point. The talk will discuss how remote attackers are able to attack such robots up to the point where they can alter the manufactured product, physically damage the robot, steal industry secrets, or injure humans. BIO: Stefano Zanero received a PhD in Computer Engineering from Politecnico di Milano, where he is currently a full professor with the Dipartimento di Elettronica, Informazione e Bioingegneria. His research focuses on malware analysis, cyber-physical security, and cybersecurity in general. Besides teaching “Computer Security” and “Digital Forensics and Cybercrime” at Politecnico, he has extensive speaking and training experience in Italy and abroad. He co-authored over 100 scientific papers and books. He is a Senior Member of the IEEE and the IEEE Computer Society, which has named him a Distinguished Lecturer and Distinguished Contributor; he is a lifetime senior member of the ACM, which has named him a Distinguished Speaker; and has been named a Fellow of the ISSA (Information System Security Association). Stefano is also a co-founder and chairman of Secure Network, a leading cybersecurity assessment firm, and a co-founder of BankSealer, a startup in the FinTech sector that addresses fraud detection through machine learning techniques.

Speck&Tech
Speck&TechSpeck&Tech

Recomendados

IOT Exploitation por
IOT Exploitation IOT Exploitation
IOT Exploitation Cysinfo Cyber Security Community
2.6K visualizações40 slides
The Considerations for Internet of Things @ 2017 por
The Considerations for Internet of Things @ 2017The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017Jian-Hong Pan
1.5K visualizações54 slides
Open Source IoT Project Flogo - Introduction, Overview and Architecture por
Open Source IoT Project Flogo - Introduction, Overview and ArchitectureOpen Source IoT Project Flogo - Introduction, Overview and Architecture
Open Source IoT Project Flogo - Introduction, Overview and ArchitectureKai Wähner
20.5K visualizações43 slides
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig por
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
1.4K visualizações29 slides
Attacking Proprietary Android Vendor Customizations por
Attacking Proprietary Android Vendor CustomizationsAttacking Proprietary Android Vendor Customizations
Attacking Proprietary Android Vendor CustomizationsRoberto Natella
103 visualizações35 slides
The Internet of Things: We've Got to Chat por
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatDuo Security
878 visualizações37 slides

Mais conteúdo relacionado

Similar a Breaking the Laws of Robotics: Attacking Industrial Robots

The Hacking Games - Operation System Vulnerabilities Meetup 29112022 por
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
22 visualizações123 slides
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu... por
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
2.3K visualizações89 slides
Resin.io overview (2016 July) por
Resin.io overview (2016 July)Resin.io overview (2016 July)
Resin.io overview (2016 July)Balena
509 visualizações26 slides
Track 4 session 6 - st dev con 2016 - samsung artik por
Track 4 session 6 - st dev con 2016 - samsung artikTrack 4 session 6 - st dev con 2016 - samsung artik
Track 4 session 6 - st dev con 2016 - samsung artikST_World
1.7K visualizações21 slides
IoT and the Role of Platforms por
IoT and the Role of PlatformsIoT and the Role of Platforms
IoT and the Role of PlatformsTiE Bangalore
2K visualizações21 slides
Why Pentesting is Vital to the Modern DoD Workforce por
Why Pentesting is Vital to the Modern DoD WorkforceWhy Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceGlobal Knowledge Training
300 visualizações36 slides

Similar a Breaking the Laws of Robotics: Attacking Industrial Robots(20)

The Hacking Games - Operation System Vulnerabilities Meetup 29112022 por lior mazor
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
lior mazor22 visualizações
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu... por Maksim Shudrak
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Maksim Shudrak2.3K visualizações
Resin.io overview (2016 July) por Balena
Resin.io overview (2016 July)Resin.io overview (2016 July)
Resin.io overview (2016 July)
Balena509 visualizações
Track 4 session 6 - st dev con 2016 - samsung artik por ST_World
Track 4 session 6 - st dev con 2016 - samsung artikTrack 4 session 6 - st dev con 2016 - samsung artik
Track 4 session 6 - st dev con 2016 - samsung artik
ST_World 1.7K visualizações
IoT and the Role of Platforms por TiE Bangalore
IoT and the Role of PlatformsIoT and the Role of Platforms
IoT and the Role of Platforms
TiE Bangalore2K visualizações
Why Pentesting is Vital to the Modern DoD Workforce por Global Knowledge Training
Why Pentesting is Vital to the Modern DoD WorkforceWhy Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD Workforce
Global Knowledge Training300 visualizações
Defcon 18 "Hacking Electronic Door Access Controllers" por shawn_merdinger
Defcon 18 "Hacking Electronic Door Access Controllers" Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers"
shawn_merdinger935 visualizações
Deep dive nella supply chain della nostra infrastruttura cloud por sparkfabrik
Deep dive nella supply chain della nostra infrastruttura cloudDeep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloud
sparkfabrik20 visualizações
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT por Stéphanie Roger
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoTInria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Stéphanie Roger323 visualizações
Beginner’s Guide on How to Start Exploring IoT Security 1st Session por veerababu penugonda(Mr-IoT)
Beginner’s Guide on How to Start Exploring IoT Security 1st SessionBeginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
veerababu penugonda(Mr-IoT)505 visualizações
FIWARE Wednesday Webinars - How to Develop FIWARE NGSI Interfaces for Robots por FIWARE
FIWARE Wednesday Webinars - How to Develop FIWARE NGSI Interfaces for RobotsFIWARE Wednesday Webinars - How to Develop FIWARE NGSI Interfaces for Robots
FIWARE Wednesday Webinars - How to Develop FIWARE NGSI Interfaces for Robots
FIWARE551 visualizações
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane... por Felipe Prado
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
Felipe Prado76 visualizações
The internet of things in now , see how golang is a part of this evolution por Yoni Davidson
The internet of things in now , see how golang is a part of this evolutionThe internet of things in now , see how golang is a part of this evolution
The internet of things in now , see how golang is a part of this evolution
Yoni Davidson3K visualizações
Going Beyond the Device Heart Beat por Balwinder Kaur
Going Beyond the Device Heart BeatGoing Beyond the Device Heart Beat
Going Beyond the Device Heart Beat
Balwinder Kaur560 visualizações
Flogo - A Golang-powered Open Source IoT Integration Framework (Gophercon) por Kai Wähner
Flogo - A Golang-powered Open Source IoT Integration Framework (Gophercon)Flogo - A Golang-powered Open Source IoT Integration Framework (Gophercon)
Flogo - A Golang-powered Open Source IoT Integration Framework (Gophercon)
Kai Wähner5.9K visualizações
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar por Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
Santhosh Kumar1.1K visualizações
Stuxnet dc9723 por Iftach Ian Amit
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
Iftach Ian Amit7.8K visualizações
aibo introduction at ROSCon2018@Madrid por Tomoya Fujita
aibo introduction at ROSCon2018@Madridaibo introduction at ROSCon2018@Madrid
aibo introduction at ROSCon2018@Madrid
Tomoya Fujita163 visualizações
Mainflux - Hyperscalable Unified IoT Platform por Sasa Klopanovic
Mainflux - Hyperscalable Unified IoT PlatformMainflux - Hyperscalable Unified IoT Platform
Mainflux - Hyperscalable Unified IoT Platform
Sasa Klopanovic323 visualizações
Mainflux - Hyperscalable Unified IoT Platform por Sasa Klopanovic
Mainflux - Hyperscalable Unified IoT PlatformMainflux - Hyperscalable Unified IoT Platform
Mainflux - Hyperscalable Unified IoT Platform
Sasa Klopanovic190 visualizações

Mais de Speck&Tech

Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ... por
Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...
Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...Speck&Tech
67 visualizações12 slides
Monitorare una flotta di autobus: architettura di un progetto di acquisizione... por
Monitorare una flotta di autobus: architettura di un progetto di acquisizione...Monitorare una flotta di autobus: architettura di un progetto di acquisizione...
Monitorare una flotta di autobus: architettura di un progetto di acquisizione...Speck&Tech
65 visualizações18 slides
Why LLMs should be handled with care por
Why LLMs should be handled with careWhy LLMs should be handled with care
Why LLMs should be handled with careSpeck&Tech
84 visualizações21 slides
Privacy in the era of quantum computers por
Privacy in the era of quantum computersPrivacy in the era of quantum computers
Privacy in the era of quantum computersSpeck&Tech
203 visualizações37 slides
Machine learning with quantum computers por
Machine learning with quantum computersMachine learning with quantum computers
Machine learning with quantum computersSpeck&Tech
213 visualizações20 slides
Give your Web App superpowers by using GPUs por
Give your Web App superpowers by using GPUsGive your Web App superpowers by using GPUs
Give your Web App superpowers by using GPUsSpeck&Tech
207 visualizações60 slides

Mais de Speck&Tech(20)

Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ... por Speck&Tech
Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...
Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...
Speck&Tech67 visualizações
Monitorare una flotta di autobus: architettura di un progetto di acquisizione... por Speck&Tech
Monitorare una flotta di autobus: architettura di un progetto di acquisizione...Monitorare una flotta di autobus: architettura di un progetto di acquisizione...
Monitorare una flotta di autobus: architettura di un progetto di acquisizione...
Speck&Tech65 visualizações
Why LLMs should be handled with care por Speck&Tech
Why LLMs should be handled with careWhy LLMs should be handled with care
Why LLMs should be handled with care
Speck&Tech84 visualizações
Privacy in the era of quantum computers por Speck&Tech
Privacy in the era of quantum computersPrivacy in the era of quantum computers
Privacy in the era of quantum computers
Speck&Tech203 visualizações
Machine learning with quantum computers por Speck&Tech
Machine learning with quantum computersMachine learning with quantum computers
Machine learning with quantum computers
Speck&Tech213 visualizações
Give your Web App superpowers by using GPUs por Speck&Tech
Give your Web App superpowers by using GPUsGive your Web App superpowers by using GPUs
Give your Web App superpowers by using GPUs
Speck&Tech207 visualizações
From leaf to orbit: exploring forests with technology por Speck&Tech
From leaf to orbit: exploring forests with technologyFrom leaf to orbit: exploring forests with technology
From leaf to orbit: exploring forests with technology
Speck&Tech101 visualizações
Innovating Wood por Speck&Tech
Innovating WoodInnovating Wood
Innovating Wood
Speck&Tech141 visualizações
Behind the scenes of our everyday Internet: the role of an IXP like MIX por Speck&Tech
Behind the scenes of our everyday Internet: the role of an IXP like MIXBehind the scenes of our everyday Internet: the role of an IXP like MIX
Behind the scenes of our everyday Internet: the role of an IXP like MIX
Speck&Tech99 visualizações
Architecting a 35 PB distributed parallel file system for science por Speck&Tech
Architecting a 35 PB distributed parallel file system for scienceArchitecting a 35 PB distributed parallel file system for science
Architecting a 35 PB distributed parallel file system for science
Speck&Tech127 visualizações
Truck planning: how to certify the right route por Speck&Tech
Truck planning: how to certify the right routeTruck planning: how to certify the right route
Truck planning: how to certify the right route
Speck&Tech228 visualizações
Break it up! 5G, cruise control, autonomous vehicle cooperation, and bending ... por Speck&Tech
Break it up! 5G, cruise control, autonomous vehicle cooperation, and bending ...Break it up! 5G, cruise control, autonomous vehicle cooperation, and bending ...
Break it up! 5G, cruise control, autonomous vehicle cooperation, and bending ...
Speck&Tech229 visualizações
AI and Space: finally, no more arguing with the GPS por Speck&Tech
AI and Space: finally, no more arguing with the GPSAI and Space: finally, no more arguing with the GPS
AI and Space: finally, no more arguing with the GPS
Speck&Tech171 visualizações
Space is open for business por Speck&Tech
Space is open for businessSpace is open for business
Space is open for business
Speck&Tech176 visualizações
Building large science space projects por Speck&Tech
Building large science space projectsBuilding large science space projects
Building large science space projects
Speck&Tech161 visualizações
Log Stealers - Shopping time for Threat Actors! por Speck&Tech
Log Stealers - Shopping time for Threat Actors!Log Stealers - Shopping time for Threat Actors!
Log Stealers - Shopping time for Threat Actors!
Speck&Tech368 visualizações
Design beyond deliverables por Speck&Tech
Design beyond deliverablesDesign beyond deliverables
Design beyond deliverables
Speck&Tech192 visualizações
Your website is ugly - how to fix it (and why you should care) por Speck&Tech
Your website is ugly - how to fix it (and why you should care)Your website is ugly - how to fix it (and why you should care)
Your website is ugly - how to fix it (and why you should care)
Speck&Tech215 visualizações
Why you should get a worse computer por Speck&Tech
Why you should get a worse computerWhy you should get a worse computer
Why you should get a worse computer
Speck&Tech228 visualizações
Intelligenza artificiale: uno yin o uno yang per i diritti umani? por Speck&Tech
Intelligenza artificiale: uno yin o uno yang per i diritti umani?Intelligenza artificiale: uno yin o uno yang per i diritti umani?
Intelligenza artificiale: uno yin o uno yang per i diritti umani?
Speck&Tech175 visualizações

Último

METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ... por
METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...
METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...Prity Khastgir IPR Strategic India Patent Attorney Amplify Innovation
25 visualizações9 slides
Empathic Computing: Delivering the Potential of the Metaverse por
Empathic Computing: Delivering the Potential of the MetaverseEmpathic Computing: Delivering the Potential of the Metaverse
Empathic Computing: Delivering the Potential of the MetaverseMark Billinghurst
470 visualizações80 slides
Black and White Modern Science Presentation.pptx por
Black and White Modern Science Presentation.pptxBlack and White Modern Science Presentation.pptx
Black and White Modern Science Presentation.pptxmaryamkhalid2916
14 visualizações21 slides
Understanding GenAI/LLM and What is Google Offering - Felix Goh por
Understanding GenAI/LLM and What is Google Offering - Felix GohUnderstanding GenAI/LLM and What is Google Offering - Felix Goh
Understanding GenAI/LLM and What is Google Offering - Felix GohNUS-ISS
41 visualizações33 slides
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor... por
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...Vadym Kazulkin
75 visualizações64 slides
ChatGPT and AI for Web Developers por
ChatGPT and AI for Web DevelopersChatGPT and AI for Web Developers
ChatGPT and AI for Web DevelopersMaximiliano Firtman
181 visualizações82 slides

Último(20)

METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ... por Prity Khastgir IPR Strategic India Patent Attorney Amplify Innovation
METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...
METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...
Prity Khastgir IPR Strategic India Patent Attorney Amplify Innovation25 visualizações
Empathic Computing: Delivering the Potential of the Metaverse por Mark Billinghurst
Empathic Computing: Delivering the Potential of the MetaverseEmpathic Computing: Delivering the Potential of the Metaverse
Empathic Computing: Delivering the Potential of the Metaverse
Mark Billinghurst470 visualizações
Black and White Modern Science Presentation.pptx por maryamkhalid2916
Black and White Modern Science Presentation.pptxBlack and White Modern Science Presentation.pptx
Black and White Modern Science Presentation.pptx
maryamkhalid291614 visualizações
Understanding GenAI/LLM and What is Google Offering - Felix Goh por NUS-ISS
Understanding GenAI/LLM and What is Google Offering - Felix GohUnderstanding GenAI/LLM and What is Google Offering - Felix Goh
Understanding GenAI/LLM and What is Google Offering - Felix Goh
NUS-ISS41 visualizações
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor... por Vadym Kazulkin
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...
Vadym Kazulkin75 visualizações
ChatGPT and AI for Web Developers por Maximiliano Firtman
ChatGPT and AI for Web DevelopersChatGPT and AI for Web Developers
ChatGPT and AI for Web Developers
Maximiliano Firtman181 visualizações
Uni Systems for Power Platform.pptx por Uni Systems S.M.S.A.
Uni Systems for Power Platform.pptxUni Systems for Power Platform.pptx
Uni Systems for Power Platform.pptx
Uni Systems S.M.S.A.50 visualizações
Melek BEN MAHMOUD.pdf por MelekBenMahmoud
Melek BEN MAHMOUD.pdfMelek BEN MAHMOUD.pdf
Melek BEN MAHMOUD.pdf
MelekBenMahmoud14 visualizações
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors por sugiuralab
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective SensorsTouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors
sugiuralab15 visualizações
Tunable Laser (1).pptx por Hajira Mahmood
Tunable Laser (1).pptxTunable Laser (1).pptx
Tunable Laser (1).pptx
Hajira Mahmood23 visualizações
Web Dev - 1 PPT.pdf por gdsczhcet
Web Dev - 1 PPT.pdfWeb Dev - 1 PPT.pdf
Web Dev - 1 PPT.pdf
gdsczhcet55 visualizações
Five Things You SHOULD Know About Postman por Postman
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About Postman
Postman27 visualizações
Report 2030 Digital Decade por Massimo Talia
Report 2030 Digital DecadeReport 2030 Digital Decade
Report 2030 Digital Decade
Massimo Talia14 visualizações
Combining Orchestration and Choreography for a Clean Architecture por ThomasHeinrichs1
Combining Orchestration and Choreography for a Clean ArchitectureCombining Orchestration and Choreography for a Clean Architecture
Combining Orchestration and Choreography for a Clean Architecture
ThomasHeinrichs169 visualizações
Special_edition_innovator_2023.pdf por WillDavies22
Special_edition_innovator_2023.pdfSpecial_edition_innovator_2023.pdf
Special_edition_innovator_2023.pdf
WillDavies2216 visualizações
Future of Learning - Khoong Chan Meng por NUS-ISS
Future of Learning - Khoong Chan MengFuture of Learning - Khoong Chan Meng
Future of Learning - Khoong Chan Meng
NUS-ISS33 visualizações
Java Platform Approach 1.0 - Picnic Meetup por Rick Ossendrijver
Java Platform Approach 1.0 - Picnic MeetupJava Platform Approach 1.0 - Picnic Meetup
Java Platform Approach 1.0 - Picnic Meetup
Rick Ossendrijver25 visualizações
How the World's Leading Independent Automotive Distributor is Reinventing Its... por NUS-ISS
How the World's Leading Independent Automotive Distributor is Reinventing Its...How the World's Leading Independent Automotive Distributor is Reinventing Its...
How the World's Leading Independent Automotive Distributor is Reinventing Its...
NUS-ISS15 visualizações
The Importance of Cybersecurity for Digital Transformation por NUS-ISS
The Importance of Cybersecurity for Digital TransformationThe Importance of Cybersecurity for Digital Transformation
The Importance of Cybersecurity for Digital Transformation
NUS-ISS27 visualizações
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV por Splunk
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk88 visualizações

Breaking the Laws of Robotics: Attacking Industrial Robots

  • 1. Breaking the laws of robotics Attacking industrial robots Stefano Zanero Politecnico di Milano Partially based upon work with present and former colleagues and students: D. Quarta, M. Pogliani, M. Polino, F. Maggi, A. Zanchettin, M. Vittone
  • 2. Originally disconnected systems Now opening up to the Internet Security as an afterthought Industrial CPS traits
  • 3. Production-critical systems Difficult to update Long service life and forever days Not necessarily managed by corp. IT (“IT vs OT”) Industrial CPS traits
  • 4. Cyber-Physical Systems Influence the physical environment Sometimes, critical systems (safety-wise, critical infra) Industrial CPS traits
  • 5. CIA triad not so important, but: ● Safety ○ people, environment, equipment ● Production continuity ○ Production plant halting ○ Ransomware (“oh, I could ransom that, too”) ● Production outcome alteration ○ → safety? Threat Scenarios
  • 6. Example: additive manufacturing micro-defects dr0wned - Cyber-Physical Attack with Additive Manufacturing, Sofia Belikovetsky, Mark Yampolskiy, Jinghui Toh, Yuval Elovici, WOOT ‘17
  • 9. Screenshot of teach pendant + formatted code snippet on the side 1) Robots are flexibly programmable...
  • 10. … and the program doesn’t say it all
  • 11. 2) Robots are extensible & connected source: http://developercenter.robotstudio.com source: abb.com source: https://universal-robots.com/plus
  • 12. 3) Robots are (sometimes) collaborative
  • 15. violating any of these requirements via a digital vector Requirements → Robot-Specific Attack Safety I/O Accuracy Integrity
  • 16. Control Loop or Calibration Tampering Safety Accuracy Integrity Attack 2
  • 18. Displayed or Actual State Alteration Safety Accuracy Integrity Attacks 4+5 Displayed or Actual State Alteration
  • 19. Displayed State Alteration Example Teach Pendant Malicious DLL
  • 23. Plenty of vulnerabilities ● BOF leading to RCE ABBVU-DMRO-124641 ● BOF in FlexPendant ABBVU-DMRO-124645 ● BOF in /command endpoint ABBVU-DMRO-128238 ● Command Injection ABBVU-DMRO-124642 ● Authentication bypass ABBVU-DMRO-124644
  • 24. Takeaways Some memory corruption Mostly logical vulnerabilities Unprotected sensitive files (e.g. config) All the components blindly trust the main computer (lack of isolation)
  • 26. That’s how we implemented the attacks
  • 28. Robots are meant to be connected
  • 29. Connected Robots: Why? ● Now: monitoring & maintenance ISO 10218-2:2011 ● Enter the I4.0: active production planning/control ○ some vendors expose REST-like APIs ○ … up to the use of mobile devices for commands ● Future: app/library stores ○ “Industrial” version of robotappstore.com?
  • 30. More in general: the “smart factory” ecosystem
  • 31. ICS on the Internet
  • 32. Not so many... Remote Exposure of Industrial Robots Search Entries Country ABB Robotics 5 DK, SE FANUC FTP 9 US, KR, FR, TW Yaskawa 9 CA, JP Kawasaki E Controller 4 DE Mitsubishi FTP 1 ID Overall 28 10
  • 33. Remote Exposure of Industrial Routers ...way more! Unknown which routers are actually robot-connected
  • 34. Trivially “Fingerprintable” (banners, firmware, manuals) Outdated Software Components Insecure Web Interface Industrial Routers: Typical Issues Cut & paste
  • 35. Proprietary Languages Language Vendor RAPID ABB KRL KUKA MELFA BASIC Mitsubishi AS Kawasaki PDL2 COMAU PacScript DENSO URScript Universal-Robot KAREL FANUC
  • 37. Vendor File System Directory Listing ABB ✔ ✔ KUKA ✔ Mitsubishi ✔ Kawasaki COMAU ✔ Indirect DENSO Universal-Robot FANUC ✔ ✔ Features: Handle File Resources
  • 38. Features: Load new Code at Runtime Vendor File System Directory Listing Load Module From File Call By Name ABB ✔ ✔ ✔ ✔ KUKA ✔ Mitsubishi ✔ Kawasaki COMAU ✔ Indirect ✔ ✔ DENSO ✔ ✔ Universal-Robot FANUC ✔ ✔ ✔ ✔
  • 39. Features: Network Communication Vendor File System Directory Listing Load Module From File Call By Name Communication ABB ✔ ✔ ✔ ✔ ✔ KUKA ✔ ✔ Mitsubishi ✔ ✔ Kawasaki ✔ COMAU ✔ Indirect ✔ ✔ ✔ DENSO ✔ ✔ ✔ Universal-Robot ✔ FANUC ✔ ✔ ✔ ✔ ✔
  • 40. We Asked Automation Engineers... What language features do you use when programming robots?
  • 41. We Found out that… •Developers can introduce vulnerabilities that can be exploited • Yes, we found vulnerable code published on GitHub •Threat actors can abuse the language features to write malware • Yes, we were able to write a network-capable, self-spreading malware dropper
  • 42. Example: a vulnerable web server in RAPID
  • 44. Sources and Sinks Attacker-controlled input concrete impact sensitive sources sensitive sinks File Inbound communication (e.g., network) Teach Pendant (UI) Robot Movement File Handling (e.g., read) File Modification (e.g., write configuration) Call by Name
  • 45. 1 2 3 4 We built an analyzer for (some) DSL CFG Generation Dataflow Analysis Task program’s source code Parsing RAPID parser KRL parser ... MoveJ point0 WaitTime 4 MoveL point1 WaitTime 5 ... ICFG Generatio n Potential Vulnerabilities Potentially Abused Features Insecure Patterns & Malicious Patterns
  • 46. Detection Results •Hard to find public code (it’s intellectual property) •100 RAPID and KRL files on public repo (e.g., GitHub and GitLab) Vulnerability Projects Files Root Cause Network → Remote Function Exec 2 2 Dynamic code loading Network → File Access 1 4 Unfiltered open file Network → Arbitrary Movement 13 34 Unrestricted Move Joint or Move to point Detection Errors 2 12 Interrupts
  • 47. •Exchange files via network Are These Languages Good to Write Malware? Vendor File System Directory Listing Load Module From File Call By Name Communication ABB ✔ ✔ ✔ ✔ ✔ KUKA ✔ ✔ Mitsubishi ✔ ✔ Kawasaki ✔ COMAU ✔ Indirect ✔ ✔ ✔ DENSO ✔ ✔ ✔ Universal-Robot ✔ FANUC ✔ ✔ ✔ ✔ ✔
  • 48. •Load or send data via network •Jump to code available at runtime Are These Languages Good to Write Malware? Vendor File System Directory Listing Load Module From File Call By Name ABB ✔ ✔ ✔ ✔ KUKA ✔ Mitsubishi ✔ Kawasaki COMAU ✔ Indirect ✔ ✔ DENSO ✔ ✔ Universal-Robot FANUC ✔ ✔ ✔ ✔
  • 49. •Load or send data via network •Jump to code available at runtime •Scan the network for targets Are These Languages Good to Write Malware? Vendor Communication ABB ✔ KUKA ✔ Mitsubishi ✔ Kawasaki ✔ COMAU ✔ DENSO ✔ Universal-Robot ✔ FANUC ✔
  • 50. •Load or send data via network •Jump to code available at runtime •Scan the network for targets •Turing-complete language Are These Languages Good to Write Malware?
  • 54. Manufacturing systems increasingly connected Industrial-specific classes of attacks Domain-specific languages vulnerabilities Cooperative robotics challenges Conclusions
  • 55. Stefano Zanero stefano.zanero@polimi.it @raistolo For further details, scientific papers, and more: http://robosec.org Questions?