RHM: Robot Hacking Manual

Download in PDF RHM v0.5 ┃ Read online | Robot hacks

The Robot Hacking Manual (RHM) is an introductory series about cybersecurity for robots, with an attempt to provide comprehensive case studies and step-by-step tutorials with the intent to raise awareness in the field and highlight the importance of taking a security-first¹ approach. The material available here is also a personal learning attempt and it's disconnected from any particular organization. Content is provided as is and by no means I encourage or promote the unauthorized tampering of robotic systems or related technologies.

Cite this work:

@article{mayoral2022robot,
  title={Robot Hacking Manual (RHM)},
  author={Mayoral-Vilches, V{\'\i}ctor},
  journal={arXiv preprint arXiv:2203.04765},
  year={2022}
}

• Disclaimer
• History
• Motivation
• A containerized approach
• Contribute back
• Cite this work
• Introduction
  • About robot cybersecurity
  • Robot hacks
• Case studies
  • Universal Robots' UR3 (hacking a collaborative robot arm)
  • Mobile Industrial Robots' MiR100 (hacking an industrial mobile robot)
  • Robot Operating System (hacking ROS 1)
  • Robot Operating System 2 (hacking ROS 2)
  • TurtleBot 3 (hacking TurtleBot 3)
  • PX4 autopilot
• Writeups
  • Reconaissance
    • Footprinting
      • Tutorial 1: Footprinting ROS systems
      • Tutorial 2: Footprinting Secure ROS systems
      • Tutorial 3: Footprinting ROS 2 and DDS systems
  • Vulnerability research
    • Static analysis
      • Tutorial 5: Static analysis of PyRobot
    • Dynamic analysis
      • Tutorial 1: Robot sanitizers in ROS 2 Dashing
      • Tutorial 2: Robot sanitizers in MoveIt 2
      • Tutorial 3: Debugging output of robot sanitizers with GDB, hunting and fixing bugs
      • Tutorial 4: Robot sanitizers with Gazebo
      • Tutorial 5: Static analysis of PyRobot
      • Tutorial 6: Looking for vulnerabilities in ROS 2
      • Tutorial 7: Analyzing Turtlebot 3
      • Tutorial 8: SROS and SROS 2, exploring
      • Tutorial 9: Looking at DDS middleware flaws
  • Exploitation
    • General
      • Tutorial 1: Buffer overflows
      • Tutorial 2: Building shellcode
      • Tutorial 3: Exploiting
      • Tutorial 4: Return to libc
      • Tutorial 5: Return-Oriented Programming (ROP)
      • Tutorial 6: Remote shell
      • Tutorial 7: pwntools - CTF toolkit
      • Tutorial 8: Linux Binary Protections (external)
      • Tutorial 9: Building a pwnbox
      • Tutorial 10: Bypassing NX with Return Oriented Programming (WIP, unfinished)
    • Robotics-specific
      • Tutorial 11: Unauthenticated registration/unregistration with ROS Master API
      • Tutorial 12: Unauthenticated updates in publisher list for specified topic
      • Tutorial 13: Sockets left open and in CLOSE_WAIT state in ROS
  • Forensics
    • Tutorial 1: Basic robot forensics, an unauthenticated unregistration in ROS
    • Tutorial 2: Locating ROS logs in memory (failed)
    • Tutorial 3: Capturing memory in Linux-based robots
    • Tutorial 4: Basic robot forensics 2, unauthenticated updates in publisher list for specified topic (unfinished)
  • Hardening
    • Tutorial 1: A study of container technologies
• Talks:
  • 2016
    • Securing ROS over the wire, in the graph, and through the kernel, ROSCon 2016
  • 2017
    • Hacking Robots Before Skynet, Ekoparty Security Conference 2017
    • An Experimental Security Analysis of an Industrial Robot Controller, IEEE Symposium on Security and Privacy 2017
    • SROS: Current Progress and Developments, ROSCon 2017
    • Breaking the Laws of Robotics: Attacking Industrial Robots, Black Hat USA 2017
  • 2018
    • Introducing the Robot Security Framework (spanish), Navaja Negra Conference 2018
    • Arm DDS Security library: Adding secure security to ROS2, ROSCon 2018
    • Leveraging DDS Security in ROS 2, ROSCon 2018
  • 2019
    • Defensive and offensive robot security, ROS-Industrial Conference 2019
    • Black Block Recorder: Immutable Black Box Logging via rosbag2 and DLTs, ROSCon 2019
    • Lessons learned on real-time and security (slides), ROS 2 Real-Time Workshop, ROSCon 2019
  • 2020
    • Current security threat landscape in robotics, European Robotics Forum (ERF) 2020
    • Security in ROS & ROS 2 robot setups, European Robotics Forum (ERF) 2020
    • Akerbeltz, industrial robot ransomware, International Workshop on Engineering Resilient Robot Software Systems, International Conference on Robotic Computing (IRC 2020).
    • Zero Trust Architecture in Robotics, Workshop on Security and Privacy in Robotics, ICRA 2020
    • The cybersecurity status of PX4, PX4 Developer Summit Virtual 2020
    • Detecting Insecure Code Patterns in Industrial Robot Programs, Proceedings of the 15th ACM Asia Conference on Computer and Communications Security 2020
    • Protecting robot endpoints against cyber-threats, ROS-Industrial Conference 2020
    • Robots and Privacy, Shmoocon 2020
  • 2021
    • Uncovering Planned Obsolescence Practices in Robotics and What This Means for Cybersecurity, BlackHat USA 2021
    • The Data Distribution Service (DDS) Protocol is Critical: Let's Use it Securely!, BlackHat Europe 2021
    • Breaking ROS 2 security assumptions: Targeting the top 6 DDS implementations, ROS-Industrial Conference 2021
    • DDS and ROS 2 cybersecurity, ROS 2 Security Working Group
  • 2022
    • A Deep Dive Into The DDS Protocol (to appear), S4x22 Security Conference

Robot hacks

A non-exhaustive list of cybersecurity research in robotics containing various related robot vulnerabilities and attacks due to cybersecurity issues.

👹 Codename/theme	🤖 Robotics technology affected	👨‍🔬 Researchers	📖 Description	📅 Date
	iRobot’s Roomba J7 series robot vacuum	N/A	Personal pictures in a home environment were found in the Internet taken by an iRobot’s Roomba J7 series robot vacuum. The photos vary in type and in sensitivity. The most intimate image we saw was the series of video stills featuring the young woman on the toilet, her face blocked in the lead image but unobscured in the grainy scroll of shots below. In another image, a boy who appears to be eight or nine years old, and whose face is clearly visible, is sprawled on his stomach across a hallway floor. A triangular flop of hair spills across his forehead as he stares, with apparent amusement, at the object recording him from just below eye level. Various other home pictures that tag objects in the environment were found.	19-19-2022
	Unitree's Go1	d0tslash (MAVProxyUser in GitHub)	A hacker found a kill switch for a gun–wielding legged robot2345. The hack itself leverages a kill switch functionality/technology that ships in all units of the robot and that listens for a particular signal at 433Mhz. When it hears the signal, the robot shuts down. d0tslash used a portable multi-tool for pentesters (Flipper Zero) to emulate the shutdown, copying the signal the robot dog’s remote broadcasts over the 433MHz frequency.	09-08-2022
	Enabot's Ebo Air	Modux6	Researchers from Modux found a security flaw in Enabot Ebo Air #robot and responsibly disclosed their findings. Attack vectors could lead to remote-controlled robot spy units. Major entry point appears to be a hardcoded system administrator password that is weak and shared across all of these robots. Researchers also found information disclosure issues that could lead attackers to exfiltrate home (e.g. home WiFi password) that could then be used to pivot into other devices through local network.	21-07-2022
Analyzing the Data Distribution Service (DDS) Protocol for Critical Industries7	ROS 2, eProsima's Fast-DDS, OCI's OpenDDS, ADLINK's (now ZettaScale's) CycloneDDS, RTI's ConnextDDS, Gurum Networks's GurumDDS and Twin Oaks Computing's CoreDX DDS	Ta-Lun Yen, Federico Maggi, Víctor Mayoral-Vilches, Erik Boasson et al. (various)7	This research looked at the OMG Data Distribution Service (DDS) standards and its implementations from a security angle. 12 CVE IDs were discovered 🆘, 1 specification-level vulnerability identified 💻, and 6 DDS implementations were analyzed (3 open source, 3 proprietary). Results hinted that DDS's security mechanisms were not secure and much effort on this side was required to protect sensitive industrial and military systems powered by this communication middleware. The research group detected that these security issues were present in almost 650 different devices exposed on the Internet, across 34 countries and affecting 100 organizations through 89 Internet Service Providers (ISPs).	19-04-2022
Hacking ROS 2, the Robot Operating System8	ROS 2	Víctor Mayoral-Vilches et al. (various)89	A team of security researchers led by the spanish firm Alias Robotics on their robotics focus discovered various security vulnerabilities that led to compromising the Robot Operating System 2 (ROS 2) through its underlying communication middleware (the DDS communications middleware). Researchers demonstrated how to dissect ROS 2 communications and perform ROS 2 reconnaissance, ROS 2 network denial of service through reflection attacks, and ROS 2 (Node) crashing by exploiting memory overflows which could lead to remote execution of arbitrary code. To mitigate these security vulnerabilities, Alias Robotics contributed to various open source tools including to SROS29 with a series of developer tool extensions that help detect some of these insecurities in ROS 2 and DDS. ROS 2 community-owner Open Robotics did not follow up with these results or contributions and disregarded overall its relevance, pushing security responsibility aside10	22-04-2022
JekyllBot:511	Aethon TUG smart robots (various)	Cynerio11	JekyllBot:5 is a collection of five critical zero-day vulnerabilities that enable remote control of Aethon TUG smart autonomous mobile robots and their online console, devices that are increasingly used for deliveries in global hospitals. More tech details about security findings at 12.	01-04-2022
Robot Teardown, stripping industrial robots for good13	Universal Robots' UR3, UR5, UR10, UR3e, UR5e, UR10e and UR16e	Víctor Mayoral-Vilches et al. (various)14	This research led by Alias Robotics introduced and advocated for robot teardown as an approach to study robot hardware architectures and fuel security research. Security researchers showed how teardown can help understanding the underlying hardware for uncovering security vulnerabilities. The group showed how robot teardown helped uncover more than 100 security flaws with 17 new CVE IDs granted over a period of two years. The group also demonstrated how various robot manufacturers are employing various planned obsolescense practices and how through teardown, planned obsolescence hardware limitations can be identified and bypassed obtaining full control of the hardware and giving it back to users, which poses both an opportunity to claim the right to repair as well as a threat to various robot manufacturers’ business models	20-07-2021
Rogue Automation13	(various robotic programming languages/frameworks) ABB's Rapid, Comau's PDL2, Denso's PacScript, Fanuc's Karel, Kawasaki's AS, Kuka's KRL, Mitsubishi's Melfa, and Universal Robots's URScript	Federico Maggi, Marcello Pogliani (various)13	This research unveils various hidden risks of industrial automation programming languages and frameworks used in robots from ABB, Comau, Denso, Fanuc, Kawasaki, Kuka, Mitsubishi, and Universal Robots. The security analysis performed in here reveals critical flaws across these technologies and their repercussions for smart factories.	01-08-2020
Securing disinfection robots in times of COVID-191516	UVD Robots' UVD Robot® Model B, UVD Robot® Model A	Víctor Mayoral-Vilches et al. (Alias Robotics)1516	The robots used in many medical centres to fight against COVID-19 for disinfection tasks were found vulnerable to various previously reported vulnerabilities (see 17) while using Ultraviolet (UV) light, which can affect humans causing suntan, sunburn or even a reportedly increased risk of skin cancer, among others. The team at Alias Robotics confirmed experimentally these issues and found many of these robots insecure, with many unpatched security flaws and easily accessible in public spaces. This led them to develop mitigations for these outstanding security flaws and offered free licenses16 for such patches to hospitals and industry during the pandemic	19-09-2020
The week of Mobile Industrial Robots' bugs17	Mobile Industrial Robots' MiR100, MiR200, MiR250, MiR500, MiR600, MiR1000, MiR1350, Easy Robotics' ER200, Enabled Robotics' ER-FLEX, ER-LITE, ER-ONE, UVD Robots' UVD Robot® Model B, UVD Robot® Model A	Víctor Mayoral-Vilches et al. (Alias Robotics)18	Having identified relevant preliminary security issues, after months of failed interactions with Mobile Industrial Robots’ (MiR) robot manufacturer while trying to help secure their robots, with this disclosure, Alias Robotics decided to empower end-users of Mobile Industrial Robots’ with information. The disclosure included a week of hacking efforts that finalized with the public release of 14 cybersecurity vulnerabilities affecting MiR industrial robots and other downstream manufacturers, impacting thousands of robots. More than 10 different robot types were affected operating across industrial spaces and all the way to public environments, such as airports and hospitals. 11 new CVE IDs were assigned as part of this effort	24-06-2020
Attacks on Smart Manufacturing Systems19	Mitsubishi Melfa V-2AJ	Federico Maggi, Marcello Pogliani (various)19	Systematic security analysis exploring a variety of attack vectors on a real smart manufacturing system, assessing the attacks that could be feasibly launched on a complex smart manufacturing system	01-05-2020
The week of Universal Robots' bugs18	Universal Robots' UR3, UR5, UR10, UR3e, UR5e, UR10e and UR16e	Víctor Mayoral-Vilches et al. (Alias Robotics)18	For years Universal Robots did not care nor responded about cybersecurity issues with their products. Motivated by this attitude, Alias Robotics' team launched an initiative to empower Universal Robots' end-users, distributors and system integrators with the information they so much require to make use of this technology securely. This effort was called the week of Universal Robots' bugs and in total, more than 80 security issues were reported in the robots of Universal robots	31-03-2020
Akerbeltz: Industrial robot ransomware20	Universal Robots' UR3, UR5, UR10	Víctor Mayoral-Vilches et al. (Alias Robotics)20	In an attempt to raise awareness and illustrate the ”insecurity by design in robotics”, the team at Alias Robotics created Akerbeltz, the first known instance of industrial robot ransomware. The malware was demonstrated using the UR3 robot from a leading brand for industrial collaborative robots, Universal Robots. The team of researchers discussed the general flow of the attack including the initial cyber-intrusion, lateral movement and later control phase	16-12-2019
Rogue Robots21	ABB’s IRB140	Federico Maggi, Davide Quarta et al. (various)21	Explored, theoretically and experimentally, the challenges and impacts of the security of modern industrial robots. Researchers also simulated an entire attack algorithm from an entry point to infiltration and compromise to demonstrate how an attacker would make use of existing vulnerabilities in order to perform various attacks.	01-05-2017
Hacking Robots Before Skynet22	SoftBank Robotics's NAO and Pepper, UBTECH Robotics' Alpha 1S and Alpha 2, ROBOTIS' OP2 and THORMANG3, Universal Robots' UR3, UR5, UR10, Rethink Robotics' Baxter and Sawyer and several robots from Asratec Corp	Lucas Apa and César Cerrudo (IOActive)22	Discovered critical cybersecurity issues in several robots from multiple vendors which hinted about the lack of security concern and awareness in robotics.	30-01-2017
Robot Operating System (ROS): Safe & Insecure23	ROS	Lubomir Stroetmann (softSCheck)23	This is one of the earliest studies touching on ROS and offers security insights and examples about the lack of security considerations in ROS and the wide attack surface exposed by it. The author hints that with ROS, protection mechanism depends on the (security) expertise of the user, which is not a good assumption in the yet security-immature robotics community. Moreover the author hints about various vulnerabilities that are easily exploitable due to the XMLRPC adoption within the ROS message-passing infrastructure including various XML bomb attacks (e.g. "billion laughs")	28-02-2014

Footnotes

1. Read on what a security-first approach in here. ↩

2. Hacker detects a kill switch to take down the gun-toting robot dog https://interestingengineering.com/innovation/gun-toting-robot-dog-kill-switch ↩

3. Hacker Finds Kill Switch for Submachine Gun–Wielding Robot Dog https://www.vice.com/en/article/akeexk/hacker-finds-kill-switch-for-submachine-gun-wielding-robot-dog ↩

4. HangZhou Yushu Technology (Unitree) go1 development notes https://github.com/MAVProxyUser/YushuTechUnitreeGo1#pdb-emergency-shut-off-backdoor-no-way-to-disable ↩

5. Russia's new 'robot dog war machine' is just Chinese household 'toy' with gun taped on https://www.dailystar.co.uk/news/world-news/russias-new-robot-dog-war-27765427 ↩

6. Serious security issues uncovered with the Enabot Smart Robot https://www.modux.co.uk/post/serious-security-issues-uncovered-with-the-enabot-smart-robot. Flaws in Enabot Ebo Air Home Security Robot Allowed Attackers to Spy on Users https://www.hackread.com/enabot-ebo-air-home-security-robot-flaws-spy-on-users/. Enabot Ebo Air smart robot hacking flaw found, and fixed https://www.which.co.uk/news/article/enabot-ebo-air-smart-robot-hacking-flaw-found-and-fixed-aJCkd2I4cxPs ↩

7. Analyzing the Data Distribution Service (DDS) Protocol for Critical Industries https://documents.trendmicro.com/assets/white_papers/wp-a-security-analysis-of-the-data-distribution-service-dds-protocol.pdf ↩ ↩²

8. Case study, hacking the Robot Operating System (ROS) 2 https://github.com/vmayoral/robot_hacking_manual/tree/master/1_case_studies/2_ros2. See https://news.aliasrobotics.com/alias-robotics-dds-ros2-vulnerabilities/ and https://www.prnewswire.com/news-releases/alias-robotics-discovers-numerous-and-dangerous-vulnerabilities-in-the-robot-operating-systems-ros-communications-that-can-have-devastating-consequences-301513741.html for public announcements. See https://www.robotics247.com/article/alias_robotics_claims_to_find_security_flaws_in_ros_2_open_robotics_responds for some public discussions ↩ ↩²

9. SROS2: Usable Cyber Security Tools for ROS 2 https://aliasrobotics.com/files/SROS2.pdf ↩ ↩²

10. Alias Robotics Claims to Find Security Flaws in ROS 2; Open Robotics Responds https://www.robotics247.com/article/alias_robotics_claims_to_find_security_flaws_in_ros_2_open_robotics_responds ↩

11. JekyllBot:5 https://www.cynerio.com/jekyllbot-5-vulnerability-disclosure-report ↩ ↩²

12. JekyllBot:5 allows attackers who exploit these vulnerabilities to: a) See real-time footage ofa hospital through the robots’ cameras, b) Take videos and pictures of vulnerable patients and hospital interiors, c) Interfere with critical or time-sensitive patient care and operations by shutting down or obstructing hospital elevators and door locking systems, d) Access patient medical records inviolation of HIPAA and other international regulations regarding the protection ofpersonal health information, e) Take control of the robots’ movement and crash them into people and objects, or use them to harass patients and staff, f) Disrupt the regular maintenancetasks regularly performed by the robots, including house keeping, cleaning, and delivery errands, g) Disrupt or block robot delivery of critical patient medication, or stealit outright, with potentially damaging or fatal patient outcomes as a result, h) Hijack legitimate administrative user sessions in the robots’ online portal and inject malware through their browser to perpetrate further cyberattacks on IT and security team members at healthcare facilities. ↩

13. Rogue Automation: Vulnerable and Malicious Code in Industrial Programming https://robosec.org/downloads/wp-rogue-automation-vulnerable-and-malicious-code-in-industrial-programming.pdf ↩ ↩² ↩³

14. Robot teardown, stripping industrial robots for good https://aliasrobotics.com/files/robot_teardown_paper.pdf ↩

15. Securing disinfection robots in times of COVID-19 https://news.aliasrobotics.com/securing-uvdrobots/ ↩ ↩²

16. Insecure robots during COVID-19 https://www.youtube.com/watch?v=1lNNYpSP8Dg (see https://www.youtube.com/watch?v=QFubEoWm7bA for a version in spanish) ↩ ↩² ↩³

17. The week of Mobile Industrial Robots' bugs https://news.aliasrobotics.com/the-week-of-mobile-industrial-robots-bugs/ ↩ ↩²

18. The week of Universal Robots' bugs https://news.aliasrobotics.com/week-of-universal-robots-bugs-exposing-insecurity/ ↩ ↩² ↩³

19. Attacks on Smart Manufacturing Systems A Forward-looking Security Analysis https://robosec.org/downloads/wp-attacks-on-smart-manufacturing-systems.pdf ↩ ↩²

20. Industrial robot ransomware: Akerbeltz https://arxiv.org/pdf/1912.07714.pdf ↩ ↩²

21. Rogue Robots: Testing the Limits of an Industrial Robot’s Security https://www.blackhat.com/docs/us-17/thursday/us-17-Quarta-Breaking-The-Laws-Of-Robotics-Attacking-Industrial-Robots-wp.pdf ↩ ↩²

22. Hacking Robots Before Skynet https://ioactive.com/pdfs/Hacking-Robots-Before-Skynet.pdf ↩ ↩²

23. Robot Operating System (ROS): Safe & Insecure, Security Investigation of the Robot OS (ROS) https://www.researchgate.net/profile/Hartmut-Pohl/publication/263369999_Robot_Operating_System_ROS_Safe_Insecure/links/57fdf86108ae727563ffd5a6/Robot-Operating-System-ROS-Safe-Insecure.pdf ↩ ↩²