The ethical hackers at Alias Robotics have published a paper describing how easy is to create and deploy industrial robot ransomware in Universal Robots UR3, the top seller collaborative robot worldwide.
“Too many robot manufacturers benefit from security by obscurity nowadays. Many hold an irresponsible position with regards to cybersecurity claiming that their “robots are open to facilitate system integration” and avoid including security features that protect robot users and operators” explains Víctor Mayoral-Vilches, CTO at Alias Robotics.
In a call to foster awareness and mature security practices by the industry, researchers in Alias Robotics have created the first robot ransomware (a type of malware that demands for an economic ransom). The ransomware itself, the first of its kind, was named after Akerbeltz, a basque mythological entity that acted as a protector of the animal kind, a feature that is particular to collaborative robots, created to collaborate closely and safely with human operators in the surroundings.
The Akerbeltz ransomware exploits several vulnerabilities to intrude the robot, takes control over it, encrypts and locks system completely, demanding bitcoin for unlocking it. Researchers, will not be releasing the source code of the malware, instead they are calling for action and warn that “attacks alike
Akerbeltz are to be foreseen” if the adequate measures are not taken. “Robot manufacturers are playing fools and are negligently putting robot users at risk with their attitude. End users are used to take security-by-design for granted, and this is clearly not the case. We call again for security researchers to adopt a disclosure policy that is forcing manufacturers to react before it is too late. We believe that robot end users need to take the lead and start questioning the cyber risks associated with these kind of industrial robots”, said Endika Gil-Uriarte, Chief Scientific Officer at Alias Robotics.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.