Scanning the Internet for ROS: A View of Security in Robotics Research

TL;DR

This study systematically scans the IPv4 internet for ROS instances, revealing widespread exposure of robotic systems and demonstrating potential security risks through real-world access to sensors and actuators.

Contribution

It provides the first comprehensive internet-wide analysis of ROS security exposure and offers practical recommendations for improving robotic system security.

Findings

Many ROS hosts are publicly accessible, risking unauthorized control.

Researchers successfully accessed sensor data and manipulated robots with consent.

Geographic and device distribution of exposed ROS systems is diverse.

Abstract

Because robots can directly perceive and affect the physical world, security issues take on particular importance. In this paper, we describe the results of our work on scanning the entire IPv4 address space of the Internet for instances of the Robot Operating System (ROS), a widely used robotics platform for research. Our results identified that a number of hosts supporting ROS are exposed to the public Internet, thereby allowing anyone to access robotic sensors and actuators. As a proof of concept, and with consent, we were able to read image sensor information and move the robot of a research group in a US university. This paper gives an overview of our findings, including the geographic distribution of publicly-accessible platforms, the sorts of sensor and actuator data that is available, as well as the different kinds of robots and sensors that our scan uncovered. Additionally, we offer recommendations on best practices to mitigate these security issues in the future.