Significant security flaws were found in an examination of six home and industrial robots, according to a report from IOActive, a Seattle-based computer security consulting firm.

Share story

SAN FRANCISCO — In the coming age of robotics, many of those autonomous machines will be internet-connected and mobile. What could possibly go wrong?

Significant security flaws were found in an examination of six home and industrial robots, according to a report released last week by IOActive, a Seattle-based computer-security consulting firm. The report notes that only four of the six companies responded to the firm’s alert, and only two said they planned to make patches after being informed of the problems.

The researchers, who described the categories of vulnerabilities they had discovered in the report but not the specific flaws, said their research was simply an early reconnaissance of the field.

“It’s important to note that our testing was not even a deep, extensive security audit, as that would have taken a much larger investment of time and resources,” the authors wrote. “The goal for this work was to gain a high-level sense of how insecure today’s robots are, which we accomplished.”

Despite the general nature of the report, industry specialists warn that if robot makers fail to take a security-first approach, it may haunt them.

“The desire for online commerce brought strong cryptographic algorithms into our daily lives,” said Joe Britt, the chief executive of Afero, a Los Altos, California-based maker of secure communications systems for the world of so-called embedded computing. “As embedded systems for sensors and robotics flourish in the next wave of computing, failure to apply these proven safeguards is like leaving the locks off of our doors.”

It is common for manufacturers that do not have good security practices to not know how to deal with vulnerability reports. Most of them probably do not have a procedure to handle reports or to provide security fixes to customers.

Robots are widely used in manufacturing. But they are largely systems like robot arms that do not have autonomous functions and cannot move around in the environment.

There is a growing consensus that during the next decade, advances in artificial intelligence will make it possible for robots to move freely in unstructured environments. This will bring self-driving cars closer to reality and will also lead to a generation of machines that will operate autonomously in homes, offices and factories.

The authors of the new report challenged the robotics industry, saying that not enough attention was being given to well-known security issues that have proved devastating for existing commercial computer networks.

“We call it an internet-of-things with arms and legs and wheels,” said Cesar Cerrudo, chief technology officer of IOActive. “The surface of attack is huge. Each robot has multiple ways it can be compromised.”

The researchers said that robot makers were rushing their products to market without giving adequate consideration to security.

“Vendors like to add features that please the public,” said Lucas Apa, a senior security consultant at IOActive and one of the authors of the report. “They forget about important issues. Robots can have microphones and cameras; they can walk and they can grab objects. People don’t realize the consequences of something that can grab an object or can hear or see you.”

The report identifies security flaws in a number of robots, including NAO and Pepper home robots made by SoftBank Robotics; and manufacturing robots from Universal Robots and Rethink Robotics, two makers of robot arms that are intended to collaborate with human workers in assembly-line applications.

It also identifies flaws in small humanoid robots made by UBTECH Robotics and Robotis, and in robotics software developed by Asratec Corp.

One of the robot manufacturers identified by the report disputed the findings. Two of the criticisms leveled by the researchers actually involved “features” added for research and education markets, according to Gil Haylon, a Rethink Robotics spokesman. He added that other vulnerabilities had been “phased out” in the latest software release for the company’s Baxter and Sawyer robots, which are intended for light assembly operations.

Universal Robots said it was looking into the issue raised by the researchers. The other companies did not immediately respond to requests for comment.