Case study: Remote attack to disable MiR100 safety

In this abstract, we describe a case study where we remotely disabled the safety subsystem of a MiR100 industrial mobile robot. Due to several misconfigurations and negligence of standard security procedures (like changing default passwords), it is possible to retrieve, manipulate and reupload the safety program logic running on the dedicated safety PLC in the robot. We sketch the attack vector and describe its effects and possible mitigation strategies. The vulnerability described has been acknowledged by the robot manufacturer and is being addressed.

[1]  David Mascareñas,et al.  A preliminary cyber-physical security assessment of the Robot Operating System (ROS) , 2013, Defense, Security, and Sensing.

[2]  Tadayoshi Kohno,et al.  A spotlight on security and privacy risks with future household robots: attacks and lessons , 2009, UbiComp.

[3]  Kai Zhao,et al.  A Survey on the Internet of Things Security , 2013, 2013 Ninth International Conference on Computational Intelligence and Security.

[4]  Erik Tews,et al.  Introducing the Robot Security Framework (RSF), a standardized methodology to perform security assessments in robotics , 2018, ArXiv.

[5]  Miodrag Potkonjak,et al.  Security of IoT systems: Design challenges and opportunities , 2014, 2014 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[6]  Peter Schartner,et al.  Security for the Robot Operating System , 2017, Robotics Auton. Syst..

[7]  Vicente Matellán Olivera,et al.  Cybersecurity in Autonomous Systems: Evaluating the performance of hardening ROS , 2016 .

[8]  Agostino Cortesi,et al.  SROS1: Using and Developing Secure ROS1 Systems , 2019 .

[9]  Peter Schartner,et al.  Secure communication for the robot operating system , 2017, 2017 Annual IEEE International Systems Conference (SysCon).

[10]  Bernhard Dieber,et al.  Introducing the Robot Vulnerability Database (RVD) , 2019, ArXiv.

[11]  Chong Kuan Chen,et al.  IoT Security: Ongoing Challenges and Research Opportunities , 2014, 2014 IEEE 7th International Conference on Service-Oriented Computing and Applications.