The entire corpus of science fiction has trained humanity to fear the day when helpful household and industrial robots turn against it, in a Skynet-style uprising. But a much more near-term threat lurks in the age of automation: not that anthropomorphic gadgets will develop minds of their own, but that a very human hacker will take control of them.

At the Hack in the Box security conference later this week in Singapore, Argentinian security researchers Lucas Apa and Cesar Cerrudo plan to demonstrate hacker attacks they developed against three popular robots: the humanoid domestic robots known as the Alpha2 and NAO, as well as a larger, industrial-focused robotic arm sold by Universal Robots. The duo plan to show—and have captured in videos like the one above—that they can hack those machines to either change critical safety settings or, in the case of the two smaller bots, send them whatever commands they choose, turning them into surveillance devices that silently transmit audio and video to a remote spy.

"They can move, they can hear, they can see," says Cesar Cerrudo, the chief technology officer of IOActive, where both of the researchers work. Those features could soon make robots at least as tempting a target for spies and saboteurs as traditional computers or smartphones, he argues. "If you hack one of these things, the threat is bigger."

Robo Hacks

In terms of actual, physical danger, the most serious of the three attacks Cerrudo and Apa developed affects Universal Robots' "collaborative" robots. These multi-jointed arms extend as far as four feet, can lift up to 22 pounds, and are work in industrial settings alongside humans. The two researchers found that the robots' software had no real authentication, and implemented only easily-cracked integrity checks meant to prevent a hacker from installing malicious updates. A live video demo shows that they could use a common security vulnerability called a "buffer overflow" to gain unauthorized access to the robot arm's operating system, and overwrite the "safety.conf" file that constrains the robot's movements with limits on its speed, the force it applies, and how it reacts when its infrared sensors detect someone nearby.

That could not only cause the robot to damage itself by overextending or overstressing its arm, but could also harm human workers within reach, they warn. "These robots have the force to cause actual bone fractures," Apa says. "Safety protections are the ultimate way they can avoid hurting the people around them. If they’re hacked, the consequences could be catastrophic."

The other two robots that the IOActive researchers focused on were smaller, friendlier "companion" robots meant for entertainment, education, and Amazon Echo-like voice interaction. Beyond merely editing a single file, as they did with the Universal Robots arm, they showed they could install software on both of the humanoid robots to fully control them.