Google Brain Research Scientist Ian Goodfellow has tweeted an alarm about IoT hacking of a particularly nightmarish type, after Brown University security researchers were able to remotely access and control a robot in a university research lab. The research also showed that many robotic labs worldwide may be vulnerable to such a takeover technique.



Security issues are a top concern in robotic platforms, and although industrial robot security is robust, relatively little effort has been put into discovering and mitigating security issues at robotics research facilities. The Brown University researchers scanned the global IPv4 address space and identified a number of Robot Operating Systems (ROS) exposed to the public Internet — which could enable unauthorized access to robotic sensors and actuators. A remote operator could for example make a robot leak sensitive information about its surroundings, or even cause physical harm.



ROS designers are not security experts, and do not have a clear threat model to include in any security mechanism. Brown University researchers found more than 100 publicly accessible hosts running vulnerable ROS master nodes across North America, Europe and Asia. A number of these connect to simulators, while others appear to be real robots that could be remotely manipulated. The robot they were able to remotely read sensor info from and move (with consent) belonged to a research group at a US university.



The Brown University research has two main goals: to emphasize the importance of robot security not only in production systems, but also in the scientific research environment; and to provide information about a concerning situation and guidance on how the robotics community can improve security.



The paper Scanning the Internet for ROS: A View of Security in Robotics Research has been published on arXiv.