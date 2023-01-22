Successfully reported this slideshow.
Breaking the Laws of Robotics: Attacking Industrial Robots

Jan. 22, 2023
Breaking the Laws of Robotics: Attacking Industrial Robots

Jan. 22, 2023
A﻿BSTRACT: Industrial robots are complex cyber-physical systems used for manufacturing, and a critical component of any modern factory. These robots aren't just electromechanical devices but include complex embedded controllers, which are often interconnected with other computers in the factory network, safety systems, and to the Internet for remote monitoring and maintenance. In this scenario, industrial routers also play a key role, because they directly expose the robot's controller. Therefore, the impact of a single, simple vulnerability can grant attackers an easy entry point. The talk will discuss how remote attackers are able to attack such robots up to the point where they can alter the manufactured product, physically damage the robot, steal industry secrets, or injure humans.

B﻿IO: Stefano Zanero received a PhD in Computer Engineering from Politecnico di Milano, where he is currently a full professor with the Dipartimento di Elettronica, Informazione e Bioingegneria. His research focuses on malware analysis, cyber-physical security, and cybersecurity in general. Besides teaching “Computer Security” and “Digital Forensics and Cybercrime” at Politecnico, he has extensive speaking and training experience in Italy and abroad. He co-authored over 100 scientific papers and books. He is a Senior Member of the IEEE and the IEEE Computer Society, which has named him a Distinguished Lecturer and Distinguished Contributor; he is a lifetime senior member of the ACM, which has named him a Distinguished Speaker; and has been named a Fellow of the ISSA (Information System Security Association). Stefano is also a co-founder and chairman of Secure Network, a leading cybersecurity assessment firm, and a co-founder of BankSealer, a startup in the FinTech sector that addresses fraud detection through machine learning techniques.

A﻿BSTRACT: Industrial robots are complex cyber-physical systems used for manufacturing, and a critical component of any modern factory. These robots aren't just electromechanical devices but include complex embedded controllers, which are often interconnected with other computers in the factory network, safety systems, and to the Internet for remote monitoring and maintenance. In this scenario, industrial routers also play a key role, because they directly expose the robot's controller. Therefore, the impact of a single, simple vulnerability can grant attackers an easy entry point. The talk will discuss how remote attackers are able to attack such robots up to the point where they can alter the manufactured product, physically damage the robot, steal industry secrets, or injure humans.

B﻿IO: Stefano Zanero received a PhD in Computer Engineering from Politecnico di Milano, where he is currently a full professor with the Dipartimento di Elettronica, Informazione e Bioingegneria. His research focuses on malware analysis, cyber-physical security, and cybersecurity in general. Besides teaching “Computer Security” and “Digital Forensics and Cybercrime” at Politecnico, he has extensive speaking and training experience in Italy and abroad. He co-authored over 100 scientific papers and books. He is a Senior Member of the IEEE and the IEEE Computer Society, which has named him a Distinguished Lecturer and Distinguished Contributor; he is a lifetime senior member of the ACM, which has named him a Distinguished Speaker; and has been named a Fellow of the ISSA (Information System Security Association). Stefano is also a co-founder and chairman of Secure Network, a leading cybersecurity assessment firm, and a co-founder of BankSealer, a startup in the FinTech sector that addresses fraud detection through machine learning techniques.

Breaking the Laws of Robotics: Attacking Industrial Robots

  1. 1. Breaking the laws of robotics Attacking industrial robots Stefano Zanero Politecnico di Milano Partially based upon work with present and former colleagues and students: D. Quarta, M. Pogliani, M. Polino, F. Maggi, A. Zanchettin, M. Vittone
  2. 2. Originally disconnected systems Now opening up to the Internet Security as an afterthought Industrial CPS traits
  3. 3. Production-critical systems Diﬃcult to update Long service life and forever days Not necessarily managed by corp. IT (“IT vs OT”) Industrial CPS traits
  4. 4. Cyber-Physical Systems Inﬂuence the physical environment Sometimes, critical systems (safety-wise, critical infra) Industrial CPS traits
  5. 5. CIA triad not so important, but: ● Safety ○ people, environment, equipment ● Production continuity ○ Production plant halting ○ Ransomware (“oh, I could ransom that, too”) ● Production outcome alteration ○ → safety? Threat Scenarios
  6. 6. Example: additive manufacturing micro-defects dr0wned - Cyber-Physical Attack with Additive Manufacturing, Soﬁa Belikovetsky, Mark Yampolskiy, Jinghui Toh, Yuval Elovici, WOOT ‘17
  7. 7. Industrial robots?
  8. 8. Screenshot of teach pendant + formatted code snippet on the side 1) Robots are ﬂexibly programmable...
  9. 9. … and the program doesn’t say it all
  10. 10. 2) Robots are extensible & connected source: http://developercenter.robotstudio.com source: abb.com source: https://universal-robots.com/plus
  11. 11. 3) Robots are (sometimes) collaborative
  12. 12. We assess attack impactby reasoning on requirements
  13. 13. Requirements Safety I/O Accuracy Integrity
  14. 14. violating any of these requirements via a digital vector Requirements → Robot-Speciﬁc Attack Safety I/O Accuracy Integrity
  15. 15. Control Loop or Calibration Tampering Safety Accuracy Integrity Attack 2
  16. 16. Production Logic Tampering Safety Accuracy Integrity Attack 3
  17. 17. Displayed or Actual State Alteration Safety Accuracy Integrity Attacks 4+5 Displayed or Actual State Alteration
  18. 18. Displayed State Alteration Example Teach Pendant Malicious DLL
  19. 19. Compromising robot controllers
  20. 20. Attack surface USB port LAN Radio Services: Well-known (FTP) + custom (RobAPI)
  21. 21. Plenty of vulnerabilities ● BOF leading to RCE ABBVU-DMRO-124641 ● BOF in FlexPendant ABBVU-DMRO-124645 ● BOF in /command endpoint ABBVU-DMRO-128238 ● Command Injection ABBVU-DMRO-124642 ● Authentication bypass ABBVU-DMRO-124644
  22. 22. Takeaways Some memory corruption Mostly logical vulnerabilities Unprotected sensitive ﬁles (e.g. conﬁg) All the components blindly trust the main computer (lack of isolation)
  23. 23. Full Controller Exploitation
  24. 24. That’s how we implemented the attacks
  25. 25. What’s the Attack Surface?
  26. 26. Robots are meant to be connected
  27. 27. Connected Robots: Why? ● Now: monitoring & maintenance ISO 10218-2:2011 ● Enter the I4.0: active production planning/control ○ some vendors expose REST-like APIs ○ … up to the use of mobile devices for commands ● Future: app/library stores ○ “Industrial” version of robotappstore.com?
  28. 28. More in general: the “smart factory” ecosystem
  29. 29. ICS on the Internet
  30. 30. Not so many... Remote Exposure of Industrial Robots Search Entries Country ABB Robotics 5 DK, SE FANUC FTP 9 US, KR, FR, TW Yaskawa 9 CA, JP Kawasaki E Controller 4 DE Mitsubishi FTP 1 ID Overall 28 10
  31. 31. Remote Exposure of Industrial Routers ...way more! Unknown which routers are actually robot-connected
  32. 32. Trivially “Fingerprintable” (banners, ﬁrmware, manuals) Outdated Software Components Insecure Web Interface Industrial Routers: Typical Issues Cut & paste
  33. 33. Proprietary Languages Language Vendor RAPID ABB KRL KUKA MELFA BASIC Mitsubishi AS Kawasaki PDL2 COMAU PacScript DENSO URScript Universal-Robot KAREL FANUC
  34. 34. The DSL rabbithole
  35. 35. Vendor File System Directory Listing ABB ✔ ✔ KUKA ✔ Mitsubishi ✔ Kawasaki COMAU ✔ Indirect DENSO Universal-Robot FANUC ✔ ✔ Features: Handle File Resources
  36. 36. Features: Load new Code at Runtime Vendor File System Directory Listing Load Module From File Call By Name ABB ✔ ✔ ✔ ✔ KUKA ✔ Mitsubishi ✔ Kawasaki COMAU ✔ Indirect ✔ ✔ DENSO ✔ ✔ Universal-Robot FANUC ✔ ✔ ✔ ✔
  37. 37. Features: Network Communication Vendor File System Directory Listing Load Module From File Call By Name Communication ABB ✔ ✔ ✔ ✔ ✔ KUKA ✔ ✔ Mitsubishi ✔ ✔ Kawasaki ✔ COMAU ✔ Indirect ✔ ✔ ✔ DENSO ✔ ✔ ✔ Universal-Robot ✔ FANUC ✔ ✔ ✔ ✔ ✔
  38. 38. We Asked Automation Engineers... What language features do you use when programming robots?
  39. 39. We Found out that… •Developers can introduce vulnerabilities that can be exploited • Yes, we found vulnerable code published on GitHub •Threat actors can abuse the language features to write malware • Yes, we were able to write a network-capable, self-spreading malware dropper
  40. 40. Example: a vulnerable web server in RAPID
  41. 41. Example Web server root Robot controller Secrets stolen Outside the root
  42. 42. Sources and Sinks Attacker-controlled input concrete impact sensitive sources sensitive sinks File Inbound communication (e.g., network) Teach Pendant (UI) Robot Movement File Handling (e.g., read) File Modification (e.g., write configuration) Call by Name
  43. 43. 1 2 3 4 We built an analyzer for (some) DSL CFG Generation Dataflow Analysis Task program’s source code Parsing RAPID parser KRL parser ... MoveJ point0 WaitTime 4 MoveL point1 WaitTime 5 ... ICFG Generatio n Potential Vulnerabilities Potentially Abused Features Insecure Patterns & Malicious Patterns
  44. 44. Detection Results •Hard to ﬁnd public code (it’s intellectual property) •100 RAPID and KRL ﬁles on public repo (e.g., GitHub and GitLab) Vulnerability Projects Files Root Cause Network → Remote Function Exec 2 2 Dynamic code loading Network → File Access 1 4 Unfiltered open file Network → Arbitrary Movement 13 34 Unrestricted Move Joint or Move to point Detection Errors 2 12 Interrupts
  45. 45. •Exchange ﬁles via network Are These Languages Good to Write Malware? Vendor File System Directory Listing Load Module From File Call By Name Communication ABB ✔ ✔ ✔ ✔ ✔ KUKA ✔ ✔ Mitsubishi ✔ ✔ Kawasaki ✔ COMAU ✔ Indirect ✔ ✔ ✔ DENSO ✔ ✔ ✔ Universal-Robot ✔ FANUC ✔ ✔ ✔ ✔ ✔
  46. 46. •Load or send data via network •Jump to code available at runtime Are These Languages Good to Write Malware? Vendor File System Directory Listing Load Module From File Call By Name ABB ✔ ✔ ✔ ✔ KUKA ✔ Mitsubishi ✔ Kawasaki COMAU ✔ Indirect ✔ ✔ DENSO ✔ ✔ Universal-Robot FANUC ✔ ✔ ✔ ✔
  47. 47. •Load or send data via network •Jump to code available at runtime •Scan the network for targets Are These Languages Good to Write Malware? Vendor Communication ABB ✔ KUKA ✔ Mitsubishi ✔ Kawasaki ✔ COMAU ✔ DENSO ✔ Universal-Robot ✔ FANUC ✔
  48. 48. •Load or send data via network •Jump to code available at runtime •Scan the network for targets •Turing-complete language Are These Languages Good to Write Malware?
  49. 49. Conclusions
  50. 50. Manufacturing systems increasingly connected Industrial-speciﬁc classes of attacks Domain-speciﬁc languages vulnerabilities Cooperative robotics challenges Conclusions
  51. 51. Stefano Zanero stefano.zanero@polimi.it @raistolo For further details, scientiﬁc papers, and more: http://robosec.org Questions?

