How secure are home robots?

Few of us think a vacuum could possibly become anything remotely viable for criminal use

irobot roomba
Credit: Kārlis Dambrāns

They have blinking lights and tend to chirp constantly. One of them can vacuum your living room carpet on a schedule. Another can play games with the kids using artificial intelligence.

Yet, for homeowners (and security professionals) there’s a question about whether home robots could become an attack vector for hackers. Tapping into a live webcam feed and recording it? Stealing Wi-Fi information from an unprotected signal so you can transmit illegal wares? What makes a home robot such an ingenious ploy is that few of us think a vacuum could possibly become anything remotely viable for criminal use. Yet, that’s exactly the danger.

“Homeowners never change the default passwords or use simple passwords which can be broken thus allowing hackers to leverage their way onto a home network and use the robot as a pivot point for further exfiltration of sensitive data or plant malware,” says Kevin Curran, a senior lecturer in computer science at the University of Ulster and IEEE member.

Curran says in a corporate setting a robot could be the weak link in the security infrastructure. Many run a proprietary “robot operating system” that is primed for attack, he says.

Security risk?

Robots seem innocuous and simple, but Curran says that’s a misconception. Usually, they are powered by Linux kernel that’s likely outdated, unpatched, and unprotected. And, once a hacker does gain access, it could be easy to start recording from a built-in webcam. The latest vacuum bots from Dyson and iRobot use a video camera as a primary way to scan a room.

“A risk associated with rolling out robots with webcams as opposed to say a webcam in an IT department is that users are not aware of the importance of changing default passwords and updating the system to apply the latest security fixes,” says Curran. “A misconfigured service in a consumer device can lead to horrific invasions of privacy.”

Carson Sweet, the cofounder and CTO of CloudPassage, a cloud server security company, says the webcam on bots (and the microphone) is the most serious threat because it’s conceivable that a hacker could take over and create a personal privacy nightmare.

[ ALSO ON CSO: Surgical robots – smart but insecure ]

A few of these potential security risks for home robots might seem a bit far-fetched, but Tom Byrnes, the CEO of malware protection company ThreatSTOP, says it’s too easy to assume a home robot (or a more “professional” bot used in a corporate setting) is impenetrable.

Byrnes says one scenario has to do with ransomware. If a hacker gains access to your network, records a video, or takes over the bot, he could demand a ransom to “release” control again. If the robot costs several thousand dollars, it’s a major issue. Hackers could also figure out a way to take over a home robot and cause damage to a home. This could be as simple as instructing a robot to crash repeatedly into a wall or play inappropriate videos on its display.

Taking precautions

Like many Internet of Things gadgets in the home or office, another issue with robots is that they are often left to their own devices. Penetration testing is not always a top priority.

“Consumers should demand that manufacturers provide facilities to harden the devices, patch operating systems, patch software vulnerabilities, provide strongly authenticated management interfaces, and generate security event data,” says Sweet.

His argument is that as home robots become more common and valuable to the consumer, the attack vector gets bigger and it will become more likely that regulators will get involved. It’s better to secure them now with better authentication before the first widespread attack occurs.

“What makes the IoT problematic is that the devices are almost never patched, and are run by users who probably have little to no security savvy,” says Byrnes. “The manufacturers have a low-cost, high volume model, so keeping them up to date is not part of their business plan, unless it becomes a large PR issue in which case lots of people have already been compromised.”

[ MORE ROBOTS: The Internet of Robotic Things: Secure, harmless helpers or vulnerable, vicious foes? ]

For many consumer bot developers, there’s no reason to consider any security issues, and -- like the Internet of Things and connected home devices offered today -- companies rarely offer a bounty to ethical hackers who can find out if there are security holes.

“Robot manufacturers should also release security updates once vulnerabilities are found but the incentive is simply not there for them to do it much of the time. Pressure should always be placed on manufacturers to deploy fixes for known vulnerabilities,” says Curran.

Once the pressure is applied, hopefully the robots won’t squawk too much.

This story, "How secure are home robots?" was originally published by CSO.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon