• Inspect documentation, consult developers and inspect robot’s body and components. Look for accessible ports (e.g. Ethernet, USB, CAN, etc.)

• Open all doors, which are not protected by locks and look for ports inside

with sensors, user interfaces, power or other robot-related components

• Open all doors, which are not protected by locks, even those protected, and look for robot components and their buses

• Investigate ventilation holes and see if they are wide enough to access internal communication ports

with a docking station or by connecting to the ports

• Try to connect to the identified communication ports:

  • Determine if authentication is required(e.g. Network access control for Ethernet)?
  • Assess whether the communication is encripted
  • Try communicating with them, attempt fizzing to discover if robot’s state can be affected.

• If a robot connects to a docking station to transfer some data, try to use sniffers to see how data exchange is being done (verify if some sensitive, configuration or control data is transferred in clear text)

removed or completely disabled causing the robot to misbehave. The most obvious example is the removal of critical sensors for the behavior of the robot

• Inspect robots body and look for accessible components (e.g. sensors, actuators, computation units, user interfaces, power components, etc.)
• Open all doors which are not protected by locks and look for accessible components inside.

to be partially outside of the body frame (e.g. certain sensors such as range finders, or the antennas of certain wireless communication components) in such a case only the required part should stick out, but not the whole component

• Identify all parts of the frame that can be opened or removed to get access to the components or modules.
• Check whether there is an active (tamper switches) or passive (tamper evident screws and seals) monitoring capability present.
• In case of active monitoring capability, verify that operator receives a real-time alert and the incident is being logged and acted upon by reviewing procedures.

were accessed or not. However, there is still a time window between inspections when exploited robots can be abused

• Review the logs of powering on and off routines of the robot.

• Review the logs of physical changes in the robot.

• Review the logs of each individual component and look for anomalies.

• Validate authentication mechanisms and verify that no known vulnerabilities are present on such.

• If internal network is password protected, attempt common password guessing.

• Verify whether the robot logs both successful and unsuccessful login attempts.

Network fingerprinting is useful to understand the internal network structure and its behavior, and to identify components’ operating system by analyzing packets from that component. This information could be used for malicious purposes, since it provides fine-grained determination of an operating system and its characteristics.

• Perform fingerprinting attacks on the internal networks.

• Evaluate obtained information with the manufacturer’s available data and assessits impact.

• If necessary, propose a mitigation strategy through the use of ”scrubbers”, whichwill ”normalize” the packets, and remove the unique identifying traits that the attacker is seeking. Refer to [18] for more details about the use of ”scrubbers”.

Vulnerabilities in communication protocols can allow attackers to gain unauthorized access to the internal network of the robot and intercept or modify any transmitted data.

• Identify all present communication capabilities by inspecting documentation, byconsulting developers or by manual analysis.

• Analyze if used protocol versions provide encryption and mutual authentication.

• Verify that used protocol is hardened according to industry standards.

to hardware limitations or performance requirements, although it is critical for robots to introspect, monitor, report and act on issues that could appear on their internal networks. Security by obscurity is unfortunately a commonly accepted approach in robotics, nevertheless, it has been demonstrated that this approach leads to critically unsecured robots. Monitoring and control capabilities should be implemented on the internal network of the robot either through the manufacturer or through additional or external solutions. The decision of applying counter-measures to the attack or only alerting should be determined by the impact of possible false positives on the operative of the robot.

• Sweep the internal robot network and enumerate entry points (e.g. open ports, existing component information, network map of components, etc).

• Try to match the fingerprints identified and to map known vulnerabilities.

• Connect to the network and attempt to perform network-based attacks (e.g. ARPpoisoning, denial of service on a particular component, etc.)

• Verify whether the robot detects and registers incidents.

• Verify whether the robot acts upon such events and either:

• (The robot) responds to insult proactively.

• An operator receives a real time alert and acts based on procedures.

from the outside and ensure that they cannot accidentally leak data to the external network.

• Inspect documentation, consult developers and inspect components which are responsible for external communications. Identify that such components have firewalls.
• Inspect firewall settings and verify that no components or modules are allowed to communicate to the external network unless it is necessary.
• If a VPN is used, verify that there are rules which allow components or modules to communicate with the outside world only via the VPN tunnel.

means that each communication component interfacing with an external channel should have a firewall behind it or use third party solutions. For example, WiFi hotspots in robots or LTE/UMTS transceivers.

• Validate authentication mechanisms and verify that no known vulnerabilities are present on such.

• If external network is password protected, attempt common password guessing.

• Verify whether the robot logs the users connected to the network.

its behavior, as well as to identify devices’ operating system by analyzing packets from that network. This information could be used for malicious purposes since it provides fine-grained determination of an operating system and its characteristics.

• Perform fingerprinting attacks on the external network.

• Evaluate obtained information with the manufacturer’s available data and assess its impact.

• If necessary, propose a mitigation strategy through the use of ”scrubbers”, which will ”normalize” the packets, and remove the unique identifying traits that the attacker is seeking. Refer to [18] for more details about the use of ”scrubbers”.

known vulnerabilities.

• Identify all communication capabilities being present by inspecting documentation, consulting developers or by manual analysis.
• Analyze if used protocol versions provide encryption and mutual authentication.
• Verify that used protocol is hardened according to industry standards.

VPN or application level encryption should be used.

• Connect to the network that is being used by the robot for communication and scan all robot ports to find the open ones. Verify with manufacturer manuals whether their presence is required.

• Identify, if possible, services running behind an open port and its version.

• Verify whether identified services are still receiving security updates and have no known vulnerabilities.

are issued based on known signatures or anomalies and appropriate actions are taken.

• Sweep the external robot network and enumerate entry points (e.g. open ports, protocol information, network map of components, robot components etc).
• Try to match the fingerprints identified and map to known vulnerabilities.
• Perform network based attacks (e.g. ARP poisoning, denial of service on a particular component).
• Verify whether the robot detects and registers incidents on the external network.
• Verify whether the robot acts upon such events and either:
• (The robot) responds to insult proactively.
• An operator receives a real time alert and acts based on procedures.

monitoring, alerting and response due to limitations on the robot capabilities, manufacturers should extend their capabilities or refer to third party solutions that could offer such.

• Check if the underlying OS is still maintained and receives security patches.

• Check whether the latest security updates are applied.

• Check if there is an update mechanism present and enabled.

• Check if the updates are encrypted when transferred to the robot.

of middleware code against established compliance mechanisms. A common middleware such as ROS 2 should comply with the Motor Industry Software Reliability Association (MISRA) guidelines. Other middlewares might use different guidelines.

• Determine the exact set of guidelines that are being applied.

• Validate whether these guidelines have been implemented.

manufacturer. Verify to perform system updates in the middlware.

• Check if the underlying middleware is still maintained and receives security patches.

• Check whether the latest security updates are applied.

• Check if there is an update mechanism present and enabled.

• Check if the updates are encrypted when transferred to the robot.

way to provide updates to all the devices that are already sold to customers. However, update mechanisms can be circumvented by an attacker to deliver malicious update. Therefore, it is important to verify the origin of the update prior to installation.

• Identify if there is a mechanism to deliver firmware updates.
• Verify that updates are cryptographically signed.
• Verify that the signature is verified prior to installation.

• Log in with authorized credentials and attempt to perform different actions, record the requests that are being made.

• Log out and attempt to send the same requests as an unauthenticated user. Verify whether it is successful.

• Log out and log in again as a user with lower access rights. Attempt to send the same requests again. Verify whether it is successful.

data.

• Verify that minimum Personally Identifiable Information (PII) is collected and transmitted over the internet.

• Verify that if PII is collected users are made aware of it (e.g. in case of a video recording people can be warned by stickers or signs on the robot).

• Verify that all PII is stored and transmitted in a secure manner.

compliance to the data protection regulations and laws that apply. Particularly, General Data Protection Regulation (GDPR) in the EU.

• Assess the legitimate interests.
• Assess the consent.
• Assess the information provisions.
• Assess the third party data.
• Assess the profiling.
• Assess the legacy data

with data protection regulations can result in financial penalties and should therefore be taken into consideration.

• Consult documentation and developers to find whether integrity check for critical components is present.

• Try disabling or modifying critical components (e.g. safety sensors or range finding systems) of the robot and check if the operator receives a real-time alert and the incident is being logged.

• Check whether the robot continues to function afterwards. Its operation should be stopped as soon as any critical component is disabled or modified, (e.g. if a proximity sensor is disabled the robot should not be able to move, because it will not be able to spot obstacles and can easily do some physical damage).

and effortless way to exploit internet connected devices.

• Review documentation and consult developers to identify whether default passwords are used.

• Attempt to log in with commonly used passwords.

• If default passwords are used, verify whether their change is encouraged on the first use.

• If unique passwords are created on a per device basis, ensure that they are random and not in a sequential order.

change succeeded.

• A password length of, at least, 8 characters.

• Enforce the usage of 3 of this 4 categories:lower-case, upper-case, numbers, special characters.

attempts should be prevented by implementing a login lockout mechanism.

• Consult documentation and developers to identify whether hardcoded or backdoor credentials are used.

• Analyze the source code for hardcoded or backdoor credentials.

or lateral movement.

• Review the source code and documentation, consult developers and identify whether passwords are stored in a cleartext.

should be 5 login attempts or less.

• Intercept connection between a robot and a control center application or a cloud server.

• Use protocol analyzer to verify that transmitted data is encrypted.

then arbitrary replay them to achieve desired actions.

• Intercept the connection between the robot and a control center application or a cloud server.

• Record the control or configuration packets sent to the robot.

• Attempt to replay the packets and verify whether the desired action is executed.

can easily introduce a vulnerability into the product where they are used.

• Identify which 3rd party libraries and components are used and what are their versions.

• Look for known vulnerabilities in the current version.

• Verify whether the identified component is still receiving security updates and has no unpatched vulnerabilities.

• Verify that the latest security updates are installed.

control center application.

• Identify web interface that is being used (hosted on the robot itself or a cloud server).

• Use OWASP methodology to test web application against OWASP Top 10 Web application vulnerabilities.

phone control center application.

• Identify whether the robot has a mobile app that can be used to control or interact with it.
• Test the application against OWASP Mobile Top 10.