Hordes of research robots could be hijacked for fun and sabotage

Many experimental robots that live in research laboratories around the world may be wide open to hackers.

Researchers at Brown University, led by Stefanie Tellex, scanned the internet for machines running ROS, a popular open-source operating system used on many research robots. Tellex and her team discovered more than a hundred systems vulnerable to being accessed and even manipulated over the internet. Not a huge number—but a warning for the research community, Tellex says.

These systems could present a juicy target for online mischief makers, Tellex says, simply because it would be fun, and cool, to take control of a real live robot. But it isn’t inconceivable that state-sponsored hackers might also go after them, in order to steal data, disrupt research, or cause accidents.

The issue isn't due to any security flaws or oversights in the design of ROS. Users are simply expected to secure their own systems. But without due care, the situation could get worse in the future. “As robotics becomes more advanced and spread out around the world, it’s important that we make sure these systems are fielded in a secure way,” Tellex says.

The Brown researchers tried taking control of one robot, a machine at the University of Washington, with the permission of its owners. They showed that they could read the robot’s sensors and move it around.

They even found one vulnerable machine in their own lab. This was so that another research group, at MIT, could remotely operate the robot using virtual reality. “But we should’ve taken it offline after we were done,” Tellex says.

Robots have been common at university research labs for decades. These machines are becoming ever more sophisticated, and researchers are exploring many ideas that involve connecting robotic systems over a network, for purposes including tele-operation and allowing one robot to share what it has learned with another system—an approach known as “cloud robotics” (see “Robots that teach each other”).

ROS, which stands for Robotic Operating System, has been a boon to robotics researchers over the past few years. It provides a standard platform for programming different hardware and a growing array of packages that give robots new capabilities. These includes libraries and algorithms for vision, navigation, manipulation, and so on.

ROS has been also been adopted by startups developing novel robotic systems including self-driving cars, warehouse helpers, and delivery bots. Industrial engineers tend to take security a lot more seriously, but internet connectivity inevitably creates new vectors for hackers (see “Botnets of things”).

“When we started work on ROS over 10 years ago, we wanted the system to be as flexible and as easy to use as possible,” says Brian Gerkey, CEO of Open Robotics, the foundation behind ROS. “As the authors of this paper note, users of ROS should take care to secure their ROS systems at the network level.”

Gerkey notes that Open Robotics is currently working on a 2.0 version of the software that will be more secure. The foundation has also announced the creation of a new, security-focused version of the operating system, called SROS (Secure ROS).