Wednesday warning that consumer , industrial and service robots in use today have serious security vulnerabilities making them easy targets for hackers or accidental breaches . In a review of 10 robots , which ranged from home , business , and industrial , IOActive saidVulnerability-related.DiscoverVulnerabilitythe risks ranged from insecure communications , authentication issues , weak cryptography and missing authorization . Cesar Cerrudo , CTO of IOActive Labs , said robots suffer from many of the same security shortcomings of as IoT , medical devices , smart cars and plush toys . “ We foundVulnerability-related.DiscoverVulnerabilitynearly 50 cybersecurity vulnerabilities in the robot ecosystem components , many of which were common problems , ” according to the IOActive Labs reportVulnerability-related.DiscoverVulnerability. As part of its investigation , IOActive analyzed some robot hardware as well as robot ecosystems . Some of the robots examined included SoftBank Robotics ’ NAO and Pepper robots , UBTECH Robotics ’ Alpha 1S and Alpha 2 robots and Rethink Robotics ’ Baxter and Sawyer robots . Underlying issues within the robots studied for the report , Cerrudo saidVulnerability-related.DiscoverVulnerability, included weak default configurations , a big security problem responsible for privacy breaches and DDoS attacks in other internet-connected devices . “ We foundVulnerability-related.DiscoverVulnerabilityrobots with insecure features that couldn ’ t be easily disabled or protected , as well as features with default passwords that were either difficult to change or could not be changed at all , ” according to the report . In a closer examination of the robot ecosystems , IOActive Labs saidVulnerability-related.DiscoverVulnerabilitymany of the robot platforms it analyzedVulnerability-related.DiscoverVulnerabilityuse open source frameworks and libraries that suffer from known vulnerabilities such as cleartext communication , authentication issues , and weak authorization schemes . “ In the robotics community , it seems common to share software frameworks , libraries , operating systems , etc. , for robot development and programming . This isn ’ t bad if the software is secure ; unfortunately , this isn ’ t the case here , ” according to IOActive Labs . Cerrudo said the threat of robots is unique in that many are semiautonomous and can wander and impact their immediate physical environment . “ The threat is limited today , compared to what robots will be capable of in the future , ” he said . Robot components such as microphones , cameras , network connectivity , remote control applications and mobility features that help robots navigate physical environments need better security , Cerrudo said . “ A hacked autonomous robot can move around as long as its battery continues to provide power . This allows hackers to control an ‘ insider threat ’ and stealAttack.Databreachinformation or cause harm to nearby objects or people , ” according to the report . When asked , Cerrudo could not point to any known cases of a hacked robot causing personal harm or posing a security risk . Nevertheless , he cited several robot-related accidents that he said demonstrate potential risks posed by a hacked robot . In one case cited by IOActive Labs , a woman was killed in an industrial accident in 2015 in Alabama when an industrial robot restarted abruptly . It cited additional loss of life incidents tied to robotic functions within computerized medical and military equipment . “ We aren ’ t aware of any robots that have been hacked . But security of the robots we tested are very poor . Eventually in the future , when robots are more mainstream , we expect cybercriminals will start seeing hacking robots as a way to make money , ” said Lucas Apa , senior security consultant with IOActive Labs . That timeline of mass robot adoption is still a little foggy , according to Apa . According to market research firm IDC , worldwide spending on robots will reach $ 188 billion by 2020 , up from $ 91.5 billion in 2016 . According to IDC many of those robots will include consumer , industrial , and service robots for industries such as healthcare and retail . “ The industry doesn ’ t appear to learn from it ’ s mistakes , ” Cerrudo said .
DiscoveredVulnerability-related.DiscoverVulnerabilityby a security researcher who goes by the name of Zenofex , these security flaws have not been reportedVulnerability-related.DiscoverVulnerabilityto Western Digital , are still unpatchedVulnerability-related.PatchVulnerability, and with public exploit code is available for more than half of the vulnerabilities . According to Zenofex multiple WD MyCloud NAS device models are affectedVulnerability-related.DiscoverVulnerability, such as : Zenofex 's decision not to informVulnerability-related.DiscoverVulnerabilityWestern Digital came after the researcher attended a security conference last year , where other infosec professionals complained about Western Digital ignoring vulnerability reportsVulnerability-related.DiscoverVulnerability. It was at the same conference , Black Hat USA 2016 , where Western Digital also won a Pwnie Award in a category called `` Lamest Vendor Response . '' `` Ignoring these bugs would leave the vulnerable devices online for longer periods while responsible disclosureVulnerability-related.DiscoverVulnerabilityis worked out , '' Zenofex argued his decision not to wait until Western Digital patchesVulnerability-related.DiscoverVulnerabilitythe security bugs . `` Instead we ’ re attempting to alertVulnerability-related.DiscoverVulnerabilitythe community of the flaws and hoping that users remove their devices from any public facing portions of their networks , limiting access wherever possible , '' he added . Zenofex , who 's a member of the Exploitee.rs community , says he foundVulnerability-related.DiscoverVulnerabilitya whopping total of 85 security issues . Based on the exploit code , many of these security flaws can be exploitedVulnerability-related.DiscoverVulnerabilityby altering cookie values or embedding shell commands in cookie parameters . When the image loads inside their browser , the exploit code executes against the local NAS drive and takes over the device . The most severe of these issues , according to Zenofex , is authentication bypass issue , which ironically was also the easiest to exploit , requiring only the modification of cookie session parameters . And since Murphy 's Law applies to hardware devices as well , things went wrong all the way , and the commands are n't executed under a limited user , but run under root , giving attackers full control over affected devices , allowing them to upload or download data at will .
Cisco 's Talos says they 've observedVulnerability-related.DiscoverVulnerabilityactive attacks against a Zero-Day vulnerability in Apache 's Struts , a popular Java application framework . Cisco started investigatingVulnerability-related.DiscoverVulnerabilitythe vulnerability shortly after it was disclosedVulnerability-related.DiscoverVulnerability, and foundVulnerability-related.DiscoverVulnerabilitya number of active attacks . In an advisory issued on Monday , Apache saysVulnerability-related.DiscoverVulnerabilitythe problem with Struts exists within the Jakarta Multipart parser . `` It is possible to perform a RCE attack with a malicious Content-Type value . If the Content-Type value is n't valid an exception is thrown which is then used to display an error message to a user , '' the warning explained . `` If you are using Jakarta based file upload Multipart parser , upgradeVulnerability-related.PatchVulnerabilityto Apache Struts version 2.3.32 or 2.5.10.1 . You can also switch to a different implementation of the Multipart parser . '' The alternative is the Pell parser plugin , which uses Jason Pell 's multipart parser instead of the Common-FileUpload library , Apache explains . In addition , administrators concerned about the issue could just apply the proper updates , which are currently availableVulnerability-related.PatchVulnerability. In a blog post , Cisco said they discovered a number of attacks that seem to be leveraging a publicly released proof-of-concept to run various commands . Such commands include simple ones ( 'whoami ' ) as well as more sophisticated ones , including pulling down malicious ELF executable and running it . An example of one attack , which attempts to copy the file to a harmless directory , ensure the executable runs , and that the firewall is disabled is boot-up , is below : Both Cisco and Apache urge administrators to take action , either by patchingVulnerability-related.PatchVulnerabilityor ensuring their systems are not vulnerable . This is n't the first time the Struts platform has come under attack . In 2013 , Chinese hackers were using an automated tool to exploit known vulnerabilities in order to install a backdoor .