The Robot Vulnerability Scoring System (RVSS) is an open and free to access vulnerability scoring system for robots. Created upon a review of CVSS3, it considers major relevant issues in robotics including a) robot safety aspects, b) assessment of downstream implications of a given vulnerability, c) library and third-party scoring assessments and d) environmental variables, such as time since vulnerability disclosure or exposure on the web. Find below a the material related to RVSS:
RVSS aims to become the de-facto standard for rating robot vulnerabilities. If with contrast to CVSS, RVSS is focused on the robotics security landscape. Contributions are welcome.
This is epic! The robot security landscape is awesome and I can’t wait for this to become more of a thing.
Do you have any ideas what makes robot security different to IoT or general computer security? Are the vectors different? Are the attack outcomes any different to ordinary equipment? Does AI have a role in this?
We get this question rather often. Short answer, robots are composed by a variety of components, many of which have their own computational means and using a variety of different communications interfaces/protocols. Each component presents an attack surface. Even the simplest robots resemble more a network of computers than a single individual IoT device.
Probably. It’s a bit early for me to say. We’ll need to research a bit more but certainly, the intuition is that robots offer a bigger attack surface with vectors that aren’t common in traditional devices.
One of the aspects that robotics deals with is safety. Safety is about making sure the robot does not harm the environment (as opposed to robot security, which is, making sure that the environment does not damage the robot). Safety has big implications on the attacks outcome. Think about some modern self-driving vehicles.
It definitely does. Stay tuned for more about this, our group is pretty active on this area for both offensive and defensive mechanisms :).
Furthermore, RVSS is actively being used robot bounty programs. While we’re still improving both the implementation and the scoring system itself, it’s already being used as one of the indicators to calculate rewards for robot vulnerabilities.