Posted on March 13, 2018 at 7:19 PM
Retail Robots Hacked can Assault Customers with Pornography and Demand Ransom
Researchers have created ransomware that could turn SoftBank Robotics NAO, and Pepper units act really strangely. IOActive researchers have caused profane outbursts, pornographic displays and more on the NAO and Pepper interfaces- all tied to Bitcoin ransoms. Security issues must be addressed, as these service bots enter the commonplace market.
We’ve all seen iRobot. I, personally, have recurring nightmares about sentient robots destroying mankind… those are fun thoughts to examine. And so far-fetched that we really aren’t too concerned. Right? New research suggests that maybe we should be more concerned, though.
The Scenario
It’s a Friday night; you are hungry. The best thing you can imagine is sitting down, binge-watching Black Mirror and biting into a gooey, cheesy, slice of pizza. Yes! Down you go, to the Pizza Hut around the corner. You walk in and are greeted by Pepper, the robotic assistant who will be taking your order this evening.
“Hi Pepper,” you say, “I’d like a large pizza with pepperoni, green peppers, and olives… no, strike the olives, just pepperoni and peppers, please.”
You wait a moment, as Pepper is processing your order. The cheeky robot says this, “Go f*** yourself.” Stunned, you shake your head and try to understand if you have just imagined this. But no, Pepper is swearing at you, and suddenly, the friendly order confirmation screen switches views to a busty blonde in a not so flattering, intimate, exchange with a couple of men. Then Pepper barks, “Give me Bitcoin!” What is going on?
Well, researchers say that this kind of situation is actually possible. Pizza Hut, as well as Sprint stores, have started rolling out Pepper as a stand-in for live human service. It has its benefits, including a standardized experience and a far smaller cost to the business, over just hiring some kid to do the work, but also, there are potential vulnerabilities in the system.
According to a paper published March 9, “Robots want bitcoins too,” IOActive security researches Lucas Apa and Cesar Cerrudo were able to create ransomware that could not only disable worker bots but make them do bizarre things, like displaying porn and shouting expletives.
This sort of outburst from a human employee would result in a firing, but for a robot? The company would have to shut down the service bot all together, and either attempt a factory reset or send it back to manufacturers to be fixed. This all results in a loss of revenue, and some pretty ticked off customers.
Pepper, a 4-foot tall humanoid service robot, has been ordered around the world. About 10,000 units are on their ways to businesses like Sprint and Pizza Hut. The units cost about $9,000 over the course of three years, including service fees. They are not cheap, though when compared with the cost of employing and ensuring actual humans, the cost is pennies on the dollar. Still, though, these units need to function and be invulnerable to attacks like Apa’s and Cerrudo’s, in order to be worth anything at all. If these bots are taken offline due to ransomware, companies might be inclined to just pay the ransom, rather than deal with taking the revenue hit of removing the bot, getting the bot repaired, and losing customer trust.
More Vulnerabilities
The cursing and pornography test is not the first time Apa and Cerrudo have shown bots to be vulnerable. They previously created ransomware that turned Softbank Robotics NAO and Pepper into spying devices! Additionally, they were able to override some of the safety protocols of the robots.
The protocols were ones directly aimed at stopping the bot from hurting a human being. As if dystopian, rude, pizza server bots weren’t alarming enough, the team was able to give UBTech’s Alpha 2 bot the ability to stab a person with a screwdriver!! According to Apa, many of these robots have enough strength to crack a human skull. The trust implicit in working with these robots means that workers standing in line with these devices aren’t wearing safety equipment (nor should they have to!).
Companies owe it to us to focus on these problems
According to Apa, a lot of these problems can be prevented if manufacturers were to isolate service protocols from other parts of the robot’s programming. As it stands, once a person hacks a robot, they can make it do whatever they want. Additionally, Apa calls for better factory reset capabilities. Where the bots do have reset functions, they are not comprehensive enough to cover all parts of an issue.
Apa attributes this lackadaisical approach to robot security and service as to companies with a greater focus on marketing than on practicality. Since these products debuted seven or eight years ago, expectations have been high. Companies are trying to showcase what they have accomplished, as quickly as possible, and things are falling through the cracks.
