Robot vulnerabilities, contributing publicly, getting acknowledged and raising the awareness


#1

Hello everyone,

Following with our work on robot security [1], [2] or [3] and through conversations with manufacturers, we noticed the lack of concern robot manufacturers have for security. Over the last weeks we’ve heard repeatedly things like:

  • Manufacturer 1 (ROSCon 2018): “We know our robots have a set of reported vulnerabilities” “we leave solving those up to the end user”
  • Manufacturer 2 (ROSCon 2018): “We do not care about security. Our robots do not have any security, we leave that up to the user”
  • Manufacturer 3 (ROSCon 2018): “We don’t need bounties. We don’t have flaws”

Our conclusion is that there’s not enough awareness about the security topic in the robotics field likely, caused by the lack of official vulnerability reports for robot flaws. In an attempt to raise awareness we have created the Robot Vulnerability Disclosure Programs (RVDPs), an attempt to register and record robot vulnerabilities in a formal manner.

Programs are integrated into a single repository to facilitate management of reports. Vulnerabilities are community-contributed and participants get the chance to obtain public acknowledgement by submitting a vulnerability while providing prove of it.

Cheers,


Robot Vulnerability Scoring System (RVSS)
(Guess, there's a solution I'm not seeing.) #2

Did you paraphrased those statements? Otherwise they sound scary as hell.


#3

Unfortunately not. This is literal and it only keeps getting worse.


(3,4,5-trimethoxyphenethylamine) #4

Do you have any recommendations on products to start doing hardware reversing?


#5

There’s a list of known-to-be-vulnerable devices at https://aliasrobotics.com/bounties.htm#rvdp. We’d advise to start from those robots and contribute with additional vulns (chances are there will be many more).


#6

@alias
How long do you think before AI is completely integrated into robots/machines? Obviously, they are touching base with it now, but overall like say until AI can independently work on its own, without the need of assistance???
:thinking:

-Archangel


#7

@Archangel9 I tend to be cautious with regard the short-term impact of AI-powered robots. There’s a generalized concerned about the fact that such a thing will happen shortly but looking at it from a “insider’s perspective”, things look quite different.

Full-disclosure, several of us at Alias Robotics worked previously (some are even still doing it today) in companies dedicated to robotics and AI. We attend to conferences, contribute with papers, push the state of the art of reinforcement learning applied to robots… and truth to be told, these methods do not outperform state-of-the-art robotics software (not powered by AI)

We can sincerely tell you that to the best of our knowledge a) robots are still very immature (hardware-wise specially), specially robot components (to build dexterous robots) are still extremely expensive and not affordable to the general public (this is changing rapidly though) b) we’re still far from (AI-powered) machines that learn to perform daily useful tasks. E.g., simply peeling, cutting and serving an apple is an extremely complicated task.

Having said all that, the concept of what’s a robot is unclear to many. Self-driving cars are all robots. Even those with a low degree of autonomy perform sensing, actuation and cognition. We should indeed be wary of security in these systems. That’s probably a short term concern we all should be looking at.


(system) #8

This topic was automatically closed after 30 days. New replies are no longer allowed.