Industrial robot ransomware: Akerbeltz

TL;DR

This paper introduces Akerbeltz, the first known industrial robot ransomware, highlighting the insecurity in robotics and urging for better security practices and responsible disclosure to prevent future vulnerabilities.

Contribution

It presents Akerbeltz, a novel ransomware targeting industrial robots, demonstrating security flaws and advocating for improved security policies in robotics industry.

Findings

Demonstrated ransomware attack on Universal Robots.

Highlighted insecurity by design in industrial robotics.

Called for responsible vulnerability disclosure policies.

Abstract

Cybersecurity lessons have not been learnt from the dawn of other technological industries. In robotics, the existing insecurity landscape needs to be addressed immediately. Several manufacturers profiting from the lack of general awareness are systematically ignoring their responsibilities by claiming their insecure (open) systems facilitate system integration, disregarding the safety, privacy and ethical consequences that their (lack of) actions have. In an attempt to raise awareness and illustrate the "insecurity by design in robotics" we have created Akerbeltz, the first known instance of industrial robot ransomware. Our malware is demonstrated using a leading brand for industrial collaborative robots, Universal Robots. We describe the rationale behind our target and discuss the general flow of the attack including the initial cyber-intrusion, lateral movement and later control phase. We urge security researchers to adopt some sort of disclosure policy that forces manufacturers to react promptly. We advocate against security by obscurity and encourage the release of similar actions once vulnerability reports fall into a dead-end. Actions are now to be taken to abide a future free of zero-days for robotics.