Industrial Robots, Hacking and Sabotage

Everything is online these days creating the perfect storm for cyber shenanigans. Sadly, even industrial robotic equipment is easily compromised because of our ever increasingly connected world. A new report by Trend Micro shows a set of attacks on robot arms and other industrial automation hardware.

This may not seem like a big deal but image a scenario where an attacker intentionally builds invisible defects into thousands of cars without the manufacturer even knowing. Just about everything in a car these days is built using robotic arms. The Chassis could be built too weak, the engine could be built with weaknesses that will fail far before the expected lifespan. Even your brake disks could have manufacturing defects introduced by a computer hacker causing them to shatter under heavy braking. The Forward-looking Threat Research (FTR) team decided to check the feasibility of such attacks and what they found was shocking. Tests were performed in a laboratory with a real in work robot. They managed to come up with five different attack methods.


Attack 1: Altering the Controller’s Parameters
The attacker alters the control system so the robot moves unexpectedly or inaccurately, at the attacker’s will.

  • Concrete Effects: Defective or modified products
  • Requirements Violated: Safety, Integrity, Accuracy

Attack 2: Tampering with Calibration Parameters
The attacker changes the calibration to make the robot move unexpectedly or inaccurately, at the attacker’s will.

  • Concrete Effects: Damage to the robot
  • Requirements Violated: Safety, Integrity, Accuracy

Why are these robots even connected? As automated factories become more complex it becomes a much larger task to maintain all of the systems. The industry is moving toward more connectivity to monitor the performance of all machines on the factory floor, tracking their service lifetime and alerting when preventive maintenance is necessary. This sounds great for its intended use, but as with all connected devices there are vulnerabilities introduced because of this connectivity. This becomes especially concerning when you consider the reality that often equipment that goes into service simply doesn’t get crucial security updates for any number of reasons (ignorance, constant use, etc.).

For the rest of the attack vectors and more detailed info you should refer to the report (PDF) which is quite an interesting read. The video below also shows insight into how these type of attacks might affect the manufacturing process.

Continue reading “Industrial Robots, Hacking and Sabotage”

U.S Air Force Is Going To Get Hacked

[HackerOne] has announced that US Dept of Defense (DoD) has decided to run their biggest bug bounty program ever, Hack the Air force.

You may remember last year there was the Hack the Pentagon bug bounty program, Well this year on the coattails of last year’s success the DoD has decided to run an even bigger program this year: Hack The Air force. Anyone from “The Five Eyes” countries (Australia, Canada, New Zealand, the United Kingdom and of course the United States) can take part. This is a change in format from the Pentagon challenge which was only open to U.S citizens and paid out a total of around $75,000 in bug bounties.

Now obviously there are rules. You can’t just hack The Air Force no matter how much you want “All their base are belong to you”. The DoD want computer hackers to find bugs in their public facing web services and are not so much interested in you penetration testing their weapons systems or any other critical infrastructure. Try that and you may end up with a lovely never-ending tour of Guantanamo Bay Naval Base.

Lori Drew not guilty of felony computer hacking

Today, a Los Angeles jury acquitted [Lori Drew] of three felony computer hacking charges. She was convicted of three misdemeanor counts for accessing a computer without authorization. The 49-year-old Missouri resident posed as a teenage boy on MySpace and harassed her daughter’s estranged friend [Megan Meier], who then committed suicide. The case came to our attention in May because of it’s unorthodox use of the federal Computer Fraud and Abuse Act. Prosecutors charged that by violating MySpace’s Terms of Service, [Drew] had gained unlawful access to their computers for the purpose of harming others, an equivalent to computer hacking. While an interesting approach to cyberbullying, it would set a very dangerous precedent for anyone that had violated a TOS before (all of us). The case broke when [Drew]’s employee [Ashley Grills] testified that no one involved had read the TOS, that the hoax was all her idea, and that she sent the final message to [Meier].