Ransomware Attacks On Robots

Like a badly written script from a 80's movie, robots are created to fill our ever growing appetite for convenience and profits. Then the rebels start hacking the robots for their own nefarious reasons. This used to be such a far fetched idea but we are living out this dystopia now.

Robots of all types and sizes have already seen their fair share of hacks and vulnerabilities. From the Kuka Controller CVE-2022-2242 to Skygrabber ($26) video feed hacking of US Predator drones in Iraq in 2009. It has become very clear that the field of robotics and Cybersecurity needs to be much closer aligned.

Hacking Military drones is dangerous, yes. But.. the bigger problems will come from disrupting robots working production lines. There is no doubt that defence contractors are spending big amounts of money on securing their product communications and verifying security of their chipsets and electronic components and this will go a long way in prevent future compromises and incidents.

Manufacturing robotics is a different story, with robots utilizing controllers, inputs from Programmable Logic Controllers and maybe HMI or workstation access on the same network there is ample attack entry to manipulate and change robotic behaviour on the factory floor. Changes can be catastrophic or just small enough to pass quality control but still produce non working products. We have seen many CVE's come out on all the devices mentioned above and it does not look like Industrial Vendors can keep up with the constant flood of exploits being found on a daily basis.

From the below remediation instructions from Kuka Robotics you can see that Industrial vendors make the same mistakes we make in the IT world. Because these device are producing product 24/7 it is very difficult to just patch them, actually in industrial areas patching is sometimes not possible at all.

Restricting incoming network access to the product altogether and only allow required traffic. In particular, traffic to TCP port 49003 should be blocked. Note: If access to TCP port 49003 is blocked, the following services cannot be used anymore: WorkVisual, BackupManager. - It is still recommended to change all Windows and smartHMI users' passwords as documented in the product manuals (see above).

Taken from : https://www.kuka.com/advisories-CVE-2022-2242

Bringing down these robots directly affects the profitability of an organization, as Ransomware becomes more creative and threat actors find ways to embed ransomware in controllers, HMI web code or even maybe on the robot itself, the chances of companies paying the ransom becomes exponentially more.

The fact is many organization don't have rock solid backup policies for PLC, Controller data, robotic configs, HMI images and workstation/MES devices. Corporate backup policies have not been overlayed on the OT environment.

So we have covered Defence and we have covered Manufacturing. The last part I want to touch on is robots we will use to live and work around is in our houses. The sensing ability of these robots, similar to Ring, Alexa and your mobile phone will make for perfect surveillance opportunities for hackers, they will use images, location data, compromising discussions and actions against us for money. This is a future which is very very possible.

Once we become dependant on these robots, shutting them down for ransom will be the next step, I can only imagine my robot helper having a built in Fortinet Virtual NGFW, IPS, IDS, AV, AI Analyst, CASB and who know what else. Just to make sure the neighbour next door cant put off my Afrikaans music in the middle of the night by hacking my robot and then ransoming it just for the extra pain of it.

Be cyber safe out there.

#IIoT #icssecurity #Cybersecurity #ics #plc #scada #robotics