When the cybersecurity industry warns of digital threats to the "internet of things," the targets that come to mind are ill-conceived, insecure consumer products like hackable lightbulbs and refrigerators. But one group of researchers has shown how hackers can perform far more serious physical sabotage: tweaking an industrial robotic arm to cost millions of dollars worth of product defects, and possibly to damage the machinery itself or its human operator.

Researchers at the security firm Trend Micro and Italy's Politecnico Milano have spent the last year and a half exploring that risk of a networked and internet-connected industrial robot. At the IEEE Security & Privacy conference later this month, they plan to present a case study of attack techniques they developed to subtly sabotage and even fully hijack a 220-pound industrial robotic arm capable of wielding gripping claws, welding tools, or even lasers. The ABB IRB140 they compromised has applications in everything from automotive manufacturing to food processing and packaging to pharmaceuticals.

Robot Command

In their tests, the researchers found a broad collection of security vulnerabilities in the controller computer that pilots that arm. Those security flaws allowed the team to pull off a range of attacks, like changing the roughly $75,000 machine's operating system with a USB drive plugged into the computer's ports, and subtly tampering with its data. More alarmingly, they also managed to load their own malicious commands onto the machine from anywhere on the internet. "If you upload your own code, you can change completely what it's doing to the work piece, introduce defects, stop the production, whatever you want," says Federico Maggi, who began the work with his fellow Politecnico Milano researchers before joining Trend Micro. "Once you find this, the only limit is your imagination."

Since the researchers alerted ABB to the hackable bugs they'd discovered, the Swedish-Swiss firm has released security fixes for all of them, Maggi says. ABB didn't immediately respond to WIRED's request for comment. But Maggi notes the company's admirable speed in fixing its flaws doesn't solve the larger problem. If he and his colleagues were able to find so many basic security flaws in the IRB140, Trend Micro argues that other industrial robots among the 1.3 million the International Federation of Robotics expects to be deployed by 2018 will be vulnerable to similar attacks.

Once you find this, the only limit is your imagination Federico Maggi, Trend Micro

Since software updates for robots can often cause costly delays in manufacturing processes, factories often skip them, Maggi says. That means even known security flaws could linger in the robots for years. And he argues similar techniques would likely work on even larger, more powerful robots like ABB's IRB 460, a robotic arm capable of moving hundreds of pounds. "Looking at only one vendor, we found textbook examples of vulnerabilities, very simple ones," says Maggi. "All our attacks can be applied to other categories of robots as well."

The flaws the researchers identified in ABB's IRB140 would have given any potential robot-hackers plenty of inroads. Most seriously, they found that any remote attacker could use the internet-scanning tool Shodan to find exposed, accessible FTP servers connected to the robots, and upload files to them that would be automatically downloaded and run whenever the robot is next rebooted. An attacker on the same network as the robot could have used a flaw in its HTTP interface to cause it to run unauthorized commands, or broken the weak encryption the robot's controller used to protect its input data, allowing a hacker to subtly alter its parameters. And if an attacker had either local network or in-person physical access to the computer controller, they could fully rewrite its firmware. It could then lie to the operator, even as the machine did the attacker's bidding.

Most disturbingly, the researchers found that those attacks had the potential to cause serious physical harm. The IRB140 is designed to run in automatic mode inside of a protective cage; it can only be operated manually if someone holds down the Fled Pendant's dead-man-switch. But the researchers found they could cause the Flex Pendant to appear to be in that safe, manual mode even when it was in automated mode, potentially tricking a victim into entering its cage and then causing them serious injury. "These are industrial weight machines with the potential to cause bodily harm to the humans around them," says Trend Micro exec Mark Nunnikhoven.

Aside from that grisly scenario, the researchers also note that the arm could be hacked to extend itself beyond its own operating thresholds, potentially damaging it permanently. (They didn't have the budget to test that self-sabotage attack, they admit.) Or more practically, the machine could be subtly hacked to change its manufacturing parameters or simply reduce its precision, altering a product by as a little as a few millimeters. In one demonstration that used the arm to mark lines on an iPad, they showed that the attack could introduce imperceptible aberrations into the arm's movement. And they point to a previous study that showed even those tiny alterations to, say, a quadcopter drone's rotors could cause the resulting product to fail entirely.

Arm's Length

The notion that those robotic vulnerabilities extend beyond a single piece of equipment isn't just a guess. Earlier this year, researchers at the security consultancy IOActive also analyzed an array of industrial robots and found security flaws across the industry. The issues range from authentication problems to weak cryptography to insecure default software configurations. Unlike the Milanese researchers, IOActive declined to name any of the robots it targeted.

The stakes are much higher here. Mark Nunnikhoven, Trend Micro

Aside from ABB, the researchers also used tools like Shodan and ZoomEye to scan the internet for potentially hackable robots and found dozens in countries including the United States, Denmark, Sweden, German, and Japan. They believe the total number is likely far higher; Maggi points to other scans that reveal tens of thousands of vulnerable industrial network routers he says likely connect to vulnerable machines, offering hackers a foothold to launch an attack.

All of that raises the question of why heavyweight, pricey, and potentially dangerous industrial robots connect to the internet in the first place. On that point, Trend Micro's Nunnikhoven says that industrial machines face the same pressure as the rest of the internet of things to enable network and even wireless connections for convenience and efficiency—while exposing machines to attacks that weren't built with internet security in mind. "We see this in the commercial IoT space with kettles and doorlocks and lightbulbs, but the stakes are much higher here," Nunnikhoven says. "The reality is that if it can be connected to the internet, it will be. This research shows how big a problem that is."