Robot Vulnerability Scoring System (RVSS)


#1

Hello everyone,

Following from Robot hacking: the Robot Security Framework (RSF) and seeing the good reception it had, I’m sharing here another piece of our work that’s been made publicly available:

The Robot Vulnerability Scoring System (RVSS) is an open and free to access vulnerability scoring system for robots. Created upon a review of CVSS3, it considers major relevant issues in robotics including a) robot safety aspects, b) assessment of downstream implications of a given vulnerability, c) library and third-party scoring assessments and d) environmental variables, such as time since vulnerability disclosure or exposure on the web. Find below a the material related to RVSS:

RVSS aims to become the de-facto standard for rating robot vulnerabilities. If with contrast to CVSS, RVSS is focused on the robotics security landscape. Contributions are welcome.


Robotics CTF, a playground for robot hacking
Robot vulnerabilities, contributing publicly, getting acknowledged and raising the awareness
(Security Architect & Founder) #2

This is epic! The robot security landscape is awesome and I can’t wait for this to become more of a thing.

Do you have any ideas what makes robot security different to IoT or general computer security? Are the vectors different? Are the attack outcomes any different to ordinary equipment? Does AI have a role in this?


#3

We get this question rather often. Short answer, robots are composed by a variety of components, many of which have their own computational means and using a variety of different communications interfaces/protocols. Each component presents an attack surface. Even the simplest robots resemble more a network of computers than a single individual IoT device.

Probably. It’s a bit early for me to say. We’ll need to research a bit more but certainly, the intuition is that robots offer a bigger attack surface with vectors that aren’t common in traditional devices.

One of the aspects that robotics deals with is safety. Safety is about making sure the robot does not harm the environment (as opposed to robot security, which is, making sure that the environment does not damage the robot). Safety has big implications on the attacks outcome. Think about some modern self-driving vehicles.

It definitely does. Stay tuned for more about this, our group is pretty active on this area for both offensive and defensive mechanisms :).


#4

A follow up work is available at Robotics CTF, a playground for robot hacking.

Furthermore, RVSS is actively being used robot bounty programs. While we’re still improving both the implementation and the scoring system itself, it’s already being used as one of the indicators to calculate rewards for robot vulnerabilities.


#5

RVSS is now being used at Robot vulnerabilities, contributing publicly, getting acknowledged and raising the awareness.


(system) #6

This topic was automatically closed after 30 days. New replies are no longer allowed.