ABSTRACT: Industrial robots are complex cyber-physical systems used for manufacturing, and a critical component of any modern factory. These robots aren't just electromechanical devices but include complex embedded controllers, which are often interconnected with other computers in the factory network, safety systems, and to the Internet for remote monitoring and maintenance. In this scenario, industrial routers also play a key role, because they directly expose the robot's controller. Therefore, the impact of a single, simple vulnerability can grant attackers an easy entry point. The talk will discuss how remote attackers are able to attack such robots up to the point where they can alter the manufactured product, physically damage the robot, steal industry secrets, or injure humans.
BIO: Stefano Zanero received a PhD in Computer Engineering from Politecnico di Milano, where he is currently a full professor with the Dipartimento di Elettronica, Informazione e Bioingegneria. His research focuses on malware analysis, cyber-physical security, and cybersecurity in general. Besides teaching “Computer Security” and “Digital Forensics and Cybercrime” at Politecnico, he has extensive speaking and training experience in Italy and abroad. He co-authored over 100 scientific papers and books. He is a Senior Member of the IEEE and the IEEE Computer Society, which has named him a Distinguished Lecturer and Distinguished Contributor; he is a lifetime senior member of the ACM, which has named him a Distinguished Speaker; and has been named a Fellow of the ISSA (Information System Security Association). Stefano is also a co-founder and chairman of Secure Network, a leading cybersecurity assessment firm, and a co-founder of BankSealer, a startup in the FinTech sector that addresses fraud detection through machine learning techniques.
Presentation on how to chat with PDF using ChatGPT code interpreter
Breaking the Laws of Robotics: Attacking Industrial Robots
1. Breaking the laws of robotics
Attacking industrial robots
Stefano Zanero
Politecnico di Milano
Partially based upon work with present and former colleagues and students:
D. Quarta, M. Pogliani, M. Polino, F. Maggi, A. Zanchettin, M. Vittone
5. CIA triad not so important, but:
● Safety
○ people, environment, equipment
● Production continuity
○ Production plant halting
○ Ransomware (“oh, I could ransom that, too”)
● Production outcome alteration
○ → safety?
Threat Scenarios
23. Plenty of vulnerabilities
● BOF leading to RCE ABBVU-DMRO-124641
● BOF in FlexPendant ABBVU-DMRO-124645
● BOF in /command endpoint ABBVU-DMRO-128238
● Command Injection ABBVU-DMRO-124642
● Authentication bypass ABBVU-DMRO-124644
24. Takeaways
Some memory corruption
Mostly logical vulnerabilities
Unprotected sensitive files (e.g. config)
All the components blindly trust the
main computer (lack of isolation)
29. Connected Robots: Why?
● Now: monitoring & maintenance ISO 10218-2:2011
● Enter the I4.0: active production planning/control
○ some vendors expose REST-like APIs
○ … up to the use of mobile devices for commands
● Future: app/library stores
○ “Industrial” version of robotappstore.com?
32. Not so many...
Remote Exposure of Industrial Robots
Search Entries Country
ABB Robotics 5 DK, SE
FANUC FTP 9 US, KR, FR, TW
Yaskawa 9 CA, JP
Kawasaki E Controller 4 DE
Mitsubishi FTP 1 ID
Overall 28 10
33. Remote Exposure of Industrial Routers
...way more!
Unknown which routers are actually robot-connected
40. We Asked Automation Engineers...
What language features do you use when programming robots?
41. We Found out that…
•Developers can introduce vulnerabilities that can be
exploited
• Yes, we found vulnerable code published on
GitHub
•Threat actors can abuse the language features to write
malware
• Yes, we were able to write a network-capable,
self-spreading malware dropper
44. Sources and Sinks
Attacker-controlled input concrete impact
sensitive sources sensitive sinks
File
Inbound communication
(e.g., network)
Teach Pendant (UI)
Robot Movement
File Handling (e.g., read)
File Modification (e.g.,
write configuration)
Call by Name
45. 1 2 3 4
We built an analyzer for (some) DSL
CFG
Generation
Dataflow
Analysis
Task program’s
source code
Parsing
RAPID parser
KRL parser
...
MoveJ point0
WaitTime 4
MoveL point1
WaitTime 5
...
ICFG
Generatio
n
Potential
Vulnerabilities
Potentially
Abused Features
Insecure Patterns
&
Malicious
Patterns
46. Detection Results
•Hard to find public code (it’s intellectual property)
•100 RAPID and KRL files on public repo (e.g., GitHub and
GitLab)
Vulnerability Projects Files Root Cause
Network → Remote
Function Exec
2 2 Dynamic code loading
Network → File Access 1 4 Unfiltered open file
Network → Arbitrary
Movement
13 34 Unrestricted Move
Joint or Move to point
Detection Errors 2 12 Interrupts
47. •Exchange files via network
Are These Languages Good to Write Malware?
Vendor
File
System
Directory
Listing
Load Module From
File
Call By
Name
Communication
ABB ✔ ✔ ✔ ✔ ✔
KUKA ✔ ✔
Mitsubishi ✔ ✔
Kawasaki ✔
COMAU ✔ Indirect ✔ ✔ ✔
DENSO ✔ ✔ ✔
Universal-Robot ✔
FANUC ✔ ✔ ✔ ✔ ✔
48. •Load or send data via network
•Jump to code available at runtime
Are These Languages Good to Write Malware?
Vendor
File
System
Directory
Listing
Load Module From
File
Call By
Name
ABB ✔ ✔ ✔ ✔
KUKA ✔
Mitsubishi ✔
Kawasaki
COMAU ✔ Indirect ✔ ✔
DENSO ✔ ✔
Universal-Robot
FANUC ✔ ✔ ✔ ✔
49. •Load or send data via network
•Jump to code available at runtime
•Scan the network for targets
Are These Languages Good to Write Malware?
Vendor Communication
ABB ✔
KUKA ✔
Mitsubishi ✔
Kawasaki ✔
COMAU ✔
DENSO ✔
Universal-Robot ✔
FANUC ✔
50. •Load or send data via network
•Jump to code available at runtime
•Scan the network for targets
•Turing-complete language
Are These Languages Good to Write Malware?