These popular robots are defenseless against cyberattacks

Researchers from security company IOActive show how easy it is to take over Pepper and Nao, customer service robots used in stores and hotels.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
4 min read
Nao or never?
Enlarge Image
Nao or never?

SoftBank's Nao humanoid robot is vulnerable to ransomware attacks, researchers say.

Tim Hornyak/CNET

These robots are designed to be like humans in every way.

At CES 2017, SoftBank showed off Pepper, a humanoid machine that could talk, move around and evaluate your mood. The robot, developed by the Japan-based telecommunications giant, can be found in malls, cruise ships and airports around the world.  

But its most human-like feature is probably that it's vulnerable and insecure. Pepper and its companion robot Nao, also created by SoftBank, can be infected with malware, researchers from security company IOActive have discovered.

Lucas Apa and Cesar Cerrudo presented their research at the Kaspersky Security Analyst Summit in Cancun, Mexico, on Friday, turning the cute Nao robot into a demented-sounding machine demanding bitcoin.

They put ransomware on the childlike robot, which stands just under 2 feet tall. But this points to a much larger problem with malware and robots. Ransomware, which locks up devices until the victim pays up, hits computers hard, but it's much worse for robots. On a computer, you can back up your devices. On a robot, the cure isn't as simple and could cost companies millions of dollars.

"Imagine a scenario where all the employees get sick at the same time, and at that exact moment, the company loses money. That's what happens when ransomware hits robots," Cerrudo said in an interview before the presentation.

When the Cadbury chocolate factory suffered a ransomware attack last June, it forced the company to temporarily shut down production. Another attack forced Honda to shut down a car plant in Japan as well. In the past, security researchers found that factory robots were easy to hack -- now it turns out the ones in your homes aren't much better off.

The two researchers were able to hack the robot through an unprotected module hidden within its many functions. SoftBank's robots work through a series of commands and modules, whether it's for motion, listening, speaking or sight.

IOActive researchers got their hands on a Nao robot and dug through all of its modules until they found an exposed one that allowed them to take over the entire machine, without requiring authentication.  

From there, they were able to change the passwords, Nao's voice, how it moved, what it could say and what its camera recorded. Essentially, anything Nao was able to do, they could take it over, Cerrudo said.

"A robot is just a computer with arms, legs and wheels. You can program it to do anything," the researcher said before the presentation.

They changed the file executions, so for example, if Nao was supposed to ask, "Hello, how are you," they would be able to change the message to say, "You look stupid."

Because Pepper runs on the same software as Nao, the attacks could apply to SoftBank's more popular robot as well, IOActive said. The majority of robots, including Pepper and Nao, can use tools from Robot Operating System (ROS), which Cerrudo said "doesn't have any security at all."

ROS was "deliberately built without a security system," said Tim Smith, a spokesman for Open Robotics, the developers behind ROS. All communications are in clear-text, without any encryption, that can be accessed by anybody on the same network, he added.

"We explicitly chose not to implement our own security system within ROS because it would be worse to risk getting security wrong than to leave it out completely," Smith said.

The developers advise makers who use their operating system to implement their own security instead. Open Robotics said it's working on a new version, ROS 2, built with security in mind, including authentication and encryption.

Softbank said it's working toward better robot security.

"When in use of Pepper, we ask to maintain the Wi-Fi network security, and also to set the robot passwords correctly. We will continue to improve our security measures on Pepper, so we can counter any risks we may face," Yusuke Abe, a SoftBank spokesman, said in an email.  

Right now, attackers don't need physical access to the robots, Apa said. All they need to access the module is to be on the same Wi-Fi network, the researchers noted. Because these robots are mostly in spaces with public Wi-Fi, like hotels, malls and airports, it would be a common scenario, Apa said.

One security solution would involve putting the robots on their own private Wi-Fi networks, he added.

IOActive reached out to SoftBank, but the Japanese manufacturer said it couldn't fix the flaws their researchers discovered because the robots weren't built with security in mind, Cerrudo said.

"It's not easy for them to now add more security in them," the researcher said. "Companies should think about security from day one. Because it'll be more difficult and costly later on." 

Correction, 11:23 a.m. PT: This story initially misstated the name of the company behind Robot Operating System. It's Open Robotics. 

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.

Blockchain Decoded:  CNET looks at the tech powering bitcoin -- and soon, too, a myriad of services that will change your life.