SafeUM
Home Blog Services Download Help About Recharge
EN
RU

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
EN
Lang
EN
RU
Archive
TOP Security!
14 Mar 2018

Hacked retail robots can demand bitcoin

It’s the end of your phone’s annual life cycle and you have decided to go in for an upgrade.

You make your way into a local Sprint store where you are warmly greeted by Pepper, a four-foot-tall, humanoid service robot.

Pepper welcomes you and asks how it can be of assistance. Suddenly, something goes terribly wrong. Before you can avert your gaze, hardcore porn starts streaming from Pepper’s chest tablet. You plea to make the moaning stop but instead Pepper simply looks at you and angrily demands large sums of Bitcoin. You throw your hands up in defeat, unsure what to do. And then, Pepper cusses you out. According to newly released research, this profane disruption could actually happen, and it could cost companies money.

In their March 9 paper, “Robots want bitcoins too,” IOActive security researches Lucas Apa and Cesar Cerrudo successfully created ransomware that could be used to compromise SoftBank Robotics’ NAO robot. Unlike traditional computer ransomware which threatens customers by encrypting their personal information, in the situation presented by the researches, companies that rely on these robots for service would be forced to make a decision: pay the ransom or cease business.

“The consequences would be more like preventing the robots from working,” Apa told over the phone. “So they do not need to encrypt information they just need to take over the robot and by preventing the robot from working it automatically will start making the business lose money.”

Using their ransomware, the researchers also proved that an attacker could go beyond simply disabling the robots. Apa explained how an attacker could load ransomware onto a robot and then display profane images or issue derogatory remarks to customers. If not addressed these types of attacks could be used to weaken consumer trust in companies that use the robots for services.

While this particular malware targeted NAO, Apa said the exact same code would work on the more widely used Pepper robot. An estimated 10,000 Pepper units have been sold worldwide and are being implemented in a variety of businesses such as Pizza Hut and Sprint.

According to the researchers, robot ransomware may be more difficult to address than typical ransomware attacks for several reasons. These robots are expensive—Pepper costs nearly $9,000 over three years with service fees—and they are also difficult to factory reset. In lieu of a factory reset, a customers may be forced to ship their robot back to a manufacturer to remove the ransomware. This process could take weeks—all the while the company may continue losing revenu.

This means, according to the researchers, that an extortionist could demand higher amounts of money and victims would be more willing to pay than in traditional ransomware attacks. Looking into the future, the researchers also explained how ransomware could affect people who use sex robots. “In the special case of sex robots, where privacy and intimacy are a primary user concern, the lack of discretion when contacting technical support, arranging pick up and calling customer care, could incentivize users to pay a ransom for the return of a robot rather than dealing with the emotional fallout,” the report read.

A History of Vulnerabilities

This is not the first time Apa and Cerrudo have highlighted vulnerabilities within SoftBank’s robots. Last August, the team released another research paper exposing a vulnerability in the NAO and Pepper robots which could turn them into spying devices.

In that same paper, the two were also able to disable the safety protocols that prevent collaborative industrial robots manufactured by Universal Robotics from harming humans. “We were able to disable them because there is no isolation from the safety settings on the robot and the other components,” Apa said. “There is no isolation once you hack the robot you can disable all kind of safety.” According to Apa, these vulnerabilities are especially dangerous because human workers have a certain degree of trust working side by side with these robots.

“These type of robots work in the factory alongside people because they are collaborative robots,” he said. “In this case the people trust and they don't even use helmets.” Apa said that some of these collaborative robots have enough strength to fracture a human skull. In August last year IOActive was able to manipulate a vulnerability UBTech’s; Alpha 2 robot that potentially allowed it to stab people with a screwdriver.

Apa said that some some the issues regarding the ransomware could be addressed if more companies offered effective ways to factory reset their products. A factory reset would wipe clean any malware installed on the robot. While SoftBank Robotics does offer a factory reset option for Pepper, Apa said it does not work properly and only worked for some components. SoftBank Robotics did not respond to the request for comment on their factory reset standards.

“We think sometimes they [robotics companies] prioritize marketing rather than security,” Apa said. “People have a lot of expectations from robots since seven or eight years ago so they have to make a product that is for the show.'"

Tags:
bitcoin fraud
Source:
Motherboard
223
Other NEWS
25 Apr 2018 safeum news imgage Amazon has a top-secret plan to build home robots
24 Apr 2018 safeum news imgage Advanced hackers infect X-Ray machines in healthcare espionage
23 Apr 2018 safeum news imgage 'Trustjacking' could expose iPhones to attack
20 Apr 2018 safeum news imgage Google boots fake Ad blockers from Chrome web store
20 Apr 2018 safeum news imgage Data firm leaks 48 million user profiles it scraped from Facebook, LinkedIn, others
19 Apr 2018 safeum news imgage Critical unpatched RCE flaw disclosed in LG network storage devices
18 Apr 2018 safeum news imgage Apple is planning to launch a news subscription service
18 Apr 2018 safeum news imgage A big Spanish bank’s customers can now use it to transfer money
17 Apr 2018 safeum news imgage How Android phones hide missed security updates from you
16 Apr 2018 safeum news imgage Google is testing self-destructing emails in new Gmail
16 Apr 2018 safeum news imgage In a leaked memo, Apple warns employees to stop leaking information
13 Apr 2018 safeum news imgage WannaCry ransomware sinkhole data now available to organizations
13 Apr 2018 safeum news imgage Apple must pay $502.6 million to VirnetX, federal jury rules
12 Apr 2018 safeum news imgage Vevo’s YouTube account hack hits popular music videos, causes biggest video ever to disappear
11 Apr 2018 safeum news imgage Homeland security to compile database of journalists, bloggers
All news
SafeUM
Confidential Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015