back to article Industrial plant robots frequently connected to the 'net without authentication

Industrial robots are frequently exposed to the internet, creating a security risk in the process, according to new research from Trend Micro. Of the 83,000 robots researchers found exposed to the public internet, 5,000 had no authentication in place to guard against possible hack attacks. A report by security researchers at …

  1. Zog_but_not_the_first
    Trollface

    A prankster...

    ...might hack into a car fabrication line, change the tolerances etc., and roll out cars like the Morris Marina.

    1. ArrZarr
      Pint

      Re: A prankster...

      Truly, a more devious scheme has never been conceived.

    2. Chris King

      Re: A prankster...

      No robot could ever produce a vehicle as bad as a "Friday Afternoon Special" Marina.

      1. Huey

        Re: A prankster...

        What could possibly go wrong?

        Wouldn't you prefer a nice game of chess?

      2. Steve Davies 3 Silver badge

        Re: A prankster...

        The Friday Afternoon special Marina

        That is Brown - 2-Tone with a Vanden Plas badge stuck on at an angle.

  2. cbars

    Like everything, AI can improve this

    Add Artificial Intelligence, and Johnny No. 5 can be alive for real! Everywhere! Yay!

  3. Anonymous Coward
    Anonymous Coward

    Robots don't pay taxes

    Spending money on robots security takes profit.

    So expect more robots and less security, for the wealth benefit of the 1%

  4. chivo243 Silver badge
    Trollface

    Yep, that's what I went to jail for

    "steal or disrupt industrial control plants" I stole not one but 3 industrustial control plants before being caught. Those were heady days...

    1. Chris King

      Re: Yep, that's what I went to jail for

      You'd have gotten away with it too, if it hadn't been for those damn kids and that pesky IDS...

      1. DropBear
        Trollface

        Re: Yep, that's what I went to jail for

        ...."meddling". It's "those meddling kids". We don't just call Goofy "Pluto" now, do we...

  5. Anonymous Coward
    Anonymous Coward

    At my place of work

    We had a robotic picker that ran on some version of Windows that looked like Windows of old (Vista? 7?). It was often blighted by demands to upgrade to W10, random advertising, etc.

    The only saving grace is that it utterly sucked and would drop more than it correctly placed, so most of the time it was just sitting unused wasting electricity. Gone now.

    Anon because my employer's tech guys might be reading...

    1. Anonymous Coward
      Anonymous Coward

      Re: At my place of work

      That's okay, at least the robot picker is paid for. A hu-man worker would be getting a salary to sit around using electricity. We can't have that. He might buy some medicine, or use his knowledge of Fortran to receive a secret payment from NASA while no one is looking. :P

      Seriously, this problem with the insecure Internet connected robots is quite easily cured by applying a small amount of blockchain, just a taste, not too much now. Then we add a bit of quantum AI stick it on a secure public virtual cloud, observe all with our VR glasses, then we render it in Rose Gold®, a registered trademark of the Apple okay, then let IBM's Watson stir the pot, he takes a taste, gives it a thumb's up, and all is forgiven. Amen. And Luke, and Leia, and the little gay robots lived happily ever after. The end.

  6. frank ly

    Memories

    "Five years ago all this would have come as a nasty shock ..."

    Ten years ago, I was asking why a very large site HVAC system was connected to the internet and I was told that it made it easier for the supplier to monitor it and issue corrective commands if anything went wrong. One of the supplier enginners told me that, "just for curiosity", he'd checked if he could still access a pumping station in Spain that he'd worked on a few years previously. He said that he could, from his own home, but that he'd logged out before testing if he could change its operating parameters.

    The situation seemed to be normal then and is probably still regarded as normal among many 'cultures' now.

  7. John Smith 19 Gold badge
    WTF?

    "83,000 robots researchers found exposed to the public internet,"

    Seriously WTF?

    Who in their right minds would think this is a good idea?

    The answer is probably they thought it was a convenient idea, which is of course much better.

    Backed up with a big dose of "Well no on knows it's there and if they find it they won't realize it's a big old robot that lift half a tonne and swing it through several metres so where's the harm?"

    1. Brewster's Angle Grinder Silver badge
      Terminator

      Re: "83,000 robots researchers found exposed to the public internet,"

      "Who in their right minds would think this is a good idea?"

      Don't be like that. Robots need to Google porn, just like the rest of us.

      1. Chris G Silver badge

        Re: "83,000 robots researchers found exposed to the public internet,"

        "Don't be like that. Robots need to Google porn, just like the rest of us."

        Robbie removed the thin cover and exposed her nipples, his tool rose and he pumped a viscous liquid into her parts.....

        1. DropBear
          Terminator

          Re: "83,000 robots researchers found exposed to the public internet,"

          "Robbie removed the thin cover..."

          ...let's do it properly, shall we... ;)

          "I've kept all my protective films intact" Roberta purred, "I've been waiting for someone like you to peel them off my faceplate...". There was an almost imperceptible quiver in the cool evening air all over her condensation-covered chassis as her servos warmed to nominal operating temperature, their high-frequency chopped currents coupling as a subtle hum into Robbie's sensor loops. With his induction-hardened main shaft at end of stroke the tremendous pressure of the hot hydraulic fluid was quickly growing out of spec, his bypass valves straining to redirect the flow...

    2. Anonymous Coward
      Anonymous Coward

      Re: "83,000 robots researchers found exposed to the public internet,"

      So that is what are we doing wrong, not connecting the tooling to the internet </sarc>

      All the computer controlled tooling in the factories we oversee are on an internal net with the servers, switches etc., in a locked section of the computer room. It requires two people with keys to unlock that section, one of my people and one of their security people. Even the office network only gets switched to the internet at set times and that is generally to allow the remote backups to run.

    3. bombastic bob Silver badge
      Terminator

      Re: "83,000 robots researchers found exposed to the public internet,"

      nobody has seen 'Live Free or Die Hard' have they?

  8. Will Godfrey Silver badge
    Unhappy

    This isn't new

    So why has it taken so long for anyone to draw attention it?

    1. Anonymous Coward
      Anonymous Coward

      Re: why has it taken so long ... to draw attention it?

      "So why has it taken so long for anyone to draw attention it?"

      "People" have been drawing attention to it, as you rightly suggest, over a number of years and even (more recently) a number of reasonably well publicised incidents.

      E.g. Wasn't there a recent US court case involving a robot and a fatality, reported here (with an extended discussion) and presumably elsewhere?

      https://www.theregister.co.uk/2017/03/11/autobot_makers_sued_over_technicians_death/

      Any more news on this case since then?

      It won't be the only such incident, there'll be more until something changes in the way these things are done.

      Robots and related semi-realtime systems (SCADA etc) aren't shiny sexy IT toys, especially when they have safety-related roles, and they shouldn't have revenue to be made from anti-virus and devops training and such.

      Robot hardware might need to be agile, safety related software development probably shouldn't be Agile, and desktop-centric OSes and toolsets may or may not be appropriate as the runtime environment for the control systems in question. But try telling that to management, and it's probably a career-limiting move.

      "Management" generally aren't listening. Yet.

      1. Anonymous Coward
        Anonymous Coward

        Re: why has it taken so long ... to draw attention it?

        "E.g. Wasn't there a recent US court case involving a robot and a fatality, reported here (with an extended discussion) and presumably elsewhere?"

        I don't recall that hacking was involved in that particular incident.

        But - it was exactly the type of action that could be caused by someone hacking in to the control.

        1. DropBear

          Re: why has it taken so long ... to draw attention it?

          To be fair, any such incident is supposed to be impossible as robots having people in dangerously close proximity are supposed to be locked out and de-powered at hardware level and by no means controllable online. Which is not to say "normal" production couldn't be screwed with, but this should not be relevant to accidents...

          1. Anonymous Coward
            Anonymous Coward

            Re: why has it taken so long ... to draw attention it?

            "robots having people in dangerously close proximity are supposed to be locked out and de-powered at hardware level"

            That's fine by me, but I suspect it's considered a rather dated approach in some places e.g. in the rarefied atmosphere of the management offices and boardrooms, where consequences are things that other people pay for.

            This from page 6 of the Trend Micro report quoted in the article:

            "Industrial robots are traditionally designed to operate in a cage, physically separated from where humans work. However, vendors are introducing various models of collaborative robots (co-bots) that are able to work in physical proximity to humans (e.g., ABB’s YuMi, FANUC’s CR-35iA, 13 and various models by Universal Robots; see Figure 3)."

            [Fwiw: ABB's YuMi isn't a classical ABB production-line robot; it's a little bit bigger than some of the tabletop robots I've seen used as toys or for training. Can't comment on the others mentioned.]

  9. Tom 7 Silver badge

    Squaring the circle.

    So you buy a robot so you dont have to pay for someone's wages only to discover to run it securely you have to employ someone who will be as expensive as the staff you have replaced!

    We live in a post capitalist world because the capitalists have got all the money but refuse to invest in the post that holds their world up.

  10. Boris the Cockroach Silver badge
    Terminator

    Air Gap!

    Air gap

    Air gap

    And glue in the USB ports

    My boss thinks I'm crazy , but one servo lag parameter changed... and you get the example in the video.

    Actually a fun example would be changing the speed parameters for when the machine puts a thread in a hole, so instead of the efficent cutting it normally does, it "pulls" on the thread thus weakening the thread structure.... sounds tiny does'nt it....... but that thread is designed to take 50 lbs of force but now it couldn't manage 10 lbs.... and your brakes fall apart at 80mph when you press the pedal....

    1. Anonymous Coward
      Anonymous Coward

      Re: Air Gap!

      That's great, but can you just make all the robots in the factory dance to the beat of the 1987 Rick Astley song "Never Gonna Give You Up?" Thanks! You're a pal.

      1. John Brown (no body) Silver badge
        Coat

        Re: Air Gap!

        "Thanks! You're a pal."

        A plastic pal who's fun to be with?

  11. Jim 68
    Windows

    I suspect...

    ...there are a lot of people who simply can't envision anything that's not connected to the Internet.

  12. Anonymous Coward
    Anonymous Coward

    Old News

    We found this oh, some 5 years ago. So we monitored the traffic and blocked it.

    The data was encrypted so might have been a forrunner for Windows 10.

    We waited for the supplier to contact us but they never did.

  13. John Smith 19 Gold badge
    Unhappy

    Lest you think there are no criminal possiblities

    "Nice factory you got here. Be a shame if one of those 'bots was to go crazy and start wacking people with some of the metal it's supposed to be working on. What you need is some sort of protection against that happening..."

    Not just violent pranksters looking to cause trouble.

    Legal note.

    This is extortion, not blackmail. Extortion is where you threaten to do (or not do) something to someone directly. Blackmail is where you threaten to reveal (or not) something to a third party.

  14. Captain DaFt

    Evil Overlords Rejoice!

    Armies of robot minions revealed to be available for free on the Internet!

    (App soon to be available for Apple and Android!) ☺

  15. Ian Michael Gumby

    Security as an after thought.

    When robotics and other embedded systems were first implemented, the Internet didn't exist beyond Usenet and mostly computer geeks and engineers were the only ones on the net.

    I wrote some embedded systems over 25 years ago and networking wasn't even an issue. Today those same systems are connected to a pc/server that connects to the web.

    So a lot of the infrastructure is ripe for security threats.

  16. Long John Brass
    Terminator

    I learned the hard way that....

    Hell hath no fury like the vast robot armies of a woman scorned.

    And now I know where the hell she got them from!

    1. DropBear
      Trollface

      Re: I learned the hard way that....

      So, do tell - did they threaten to, uh, flail their grippers at you furiously from afar or something...? I mean, as long as they don't start rolling out Boston Dynamics Big Dogs en-masse, I reckon we're quite safe at the pub...

  17. Anonymous Coward
    Anonymous Coward

    Internet connected bedpan washer

    Yes I know, it got the standard response from me, of Why! and NOOOOOOO!

    apparently to do with cycle statistics all sent to a server via FTP

    AC as they probably already know who i am

    1. John Smith 19 Gold badge
      Unhappy

      "apparently to do with cycle statistics all sent to a server via FTP"

      Sadly I can actually believe that.

      Eliminate the "annual service visit" and allow continuous monitoring. Even better (for PHB) you can eliminate the light on the front panel that says "request service call. Machine needs attention" as well.

      In fact while we're at it we can do remote updates in case we need to upgrade (or rather the customer pays for an upgrade) to the software. No authentication needed as no one else knows what it's for or even if it's on the net.

      All at the minor cost of creating yet another gaping wide door into the machines core software.

      The road to Hell is not paved with good intentions. It's paved with "convenience."

  18. Anonymous Coward
    Terminator

    Security risks of connecting your industrial facilities to the Internet

    "Industrial robots are frequently exposed to the internet, creating a security risk .. a hacker might be able to alter the control system .. Five years ago all this would have come as a nasty shock"

    Only if you've been in a coma since 2003 or 1997.

    "There is simply no way, as this report shows, to stop cybercriminals from finding ways into manufacturing plants and other industrial facilities via the Internet.

    There is you fucking retard, don't connect your industrial facilities to the Internet.

    1. Anonymous Coward
      Anonymous Coward

      Re: Security risks of connecting your industrial facilities to the Internet

      "don't connect your industrial facilities to the Internet."

      Respect stupid! Stupid exists, Stupid is always there,... waiting. The person you least expect is capable of becoming Stupid.

      Encrypt everything, use strong keys, limit the access. Set up your robots so they can't interact with people, then airgap everything. Physically control access to everything, and you still have to check everything for stupid. Cause stupid has a laptop/mobile phone, and then all your hard work is on the Internet. Hell, stupid may even be paid to do it (probably not though)

      Saw a few months ago stupid with RDP server, user name and password the same on the Internet. cause it would save their accountant a bit of time.

      It was only their orders,client history, and council approvals that got encrypted.

      Good Luck! Against Stupid..... we all need it!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022