Add citation and various updates, v0.5

Signed-off-by: Víctor Mayoral Vilches <[email protected]>

0_introduction/README.md

@@ -25,6 +25,17 @@ Security is *not a product, but a process* that needs to be continuously assesse
 
 <!-- To read more on how cybersecurity in robotics compares to IT, OT or IoT, refer to [this article](https://cybersecurityrobotics.net/it-ot-iot-and-robotics-security-comparison/). -->
 
+## Cite this work
+
+```
+@article{mayoral2022robot,
+  title={Robot Hacking Manual (RHM)},
+  author={Mayoral-Vilches, V{\'\i}ctor},
+  journal={arXiv preprint arXiv:2203.04765},
+  year={2022}
+}
+```
+
 \newpage
 
 ## Literature review
@@ -35,6 +46,30 @@ Security however hasn't started being addressed in robotics until recently. Foll
 
 A bit more than a year after that, starting in 2018, it's possible to observe how more groups start showing interest for the field and contribute. @vilches2018introducing initiated a series of security research efforts attempting to define offensive security blueprints and methodologies in robotics that led to various contributions [@vilches2018volatile; @kirschgens2018robot; @mayoral2018aztarna; @mayoral2020alurity; @mayoral2020can; @lacava2020current; @mayoral2020devsecops; @mayoral2020industrial]. Most notably, this group released publicly a framework for conducting security assessments in robotics @vilches2018introducing, a vulnerability scoring mechanism for robots @mayoral2018towardsRVSS, a robotics Capture-The-Flag environment for robotics whereto learn how to train robot cybersecurity engineers @mendia2018robotics or a robot-specific vulnerability database that third parties could use to track their threat landscape @mayoral2019introducing, among others. In 2021, @zhu2021cybersecurity published a comprehensive introduction of this emerging topic for theoreticians and practitioners working in the field to foster a sub-community in robotics and allow more contributors to become part of the robot cybersecurity effort.
 
+
+\newpage
+
+## Robot hacks
+A non-exhaustive list of cybersecurity research in robotics containing various related robot vulnerabilities and attacks due to cybersecurity issues.
+
+| 👹 Codename/theme | 🤖 Robotics technology affected | 👨‍🔬 Researchers | 📖 Description | 📅 Date |
+|-----|-------|-------------|-------------|------|
+| | Enabot's [`Ebo Air`](https://na.enabot.com/shop/air001) | **Modux** |  Researchers from Modux found a security *flaw* in Enabot Ebo Air #robot and responsibly disclosed their findings. Attack vectors could lead to remote-controlled *robot* spy units. Major entry point appears to be a hardcoded system administrator password that is weak and shared across all of these robots. Researchers also found information disclosure issues that could lead attackers to exfiltrate home (e.g. home WiFi password) that could then be used to pivot into other devices through local network. | 21-07-2022 |
+| <ins>Analyzing the Data Distribution Service (DDS) Protocol for Critical Industries</ins> | [`ROS 2`](https://ros.org), [eProsima](https://www.eprosima.com/)'s [`Fast-DDS`](https://github.com/eProsima/Fast-DDS), [OCI](https://objectcomputing.com/)'s [`OpenDDS`](https://github.com/objectcomputing/OpenDDS), [ADLINK](https://www.adlinktech.com/)'s (*now [ZettaScale](https://www.zettascale.tech/)'s*) [CycloneDDS](https://github.com/eclipse-cyclonedds/cyclonedds), [RTI](<https://www.rti.com>)'s [ConnextDDS](https://www.rti.com/products), [Gurum Networks](https://www.gurum.cc/home)'s [GurumDDS](https://www.gurum.cc/freetrial) and [Twin Oaks Computing](http://www.twinoakscomputing.com/)'s [CoreDX DDS](http://www.twinoakscomputing.com/coredx/download) | [Ta-Lun Yen](https://www.linkedin.com/in/evsfy/), [Federico Maggi](https://www.linkedin.com/in/phretor/), [Víctor Mayoral-Vilches](https://www.linkedin.com/in/vmayoral/), [Erik Boasson](https://www.linkedin.com/in/erik-boasson-21344912/) *et al.* (**various**) | This research looked at the OMG Data Distribution Service (DDS) standards and its implementations from a security angle. 12 CVE IDs were discovered 🆘, 1 specification-level vulnerability identified 💻, and 6 DDS implementations were analyzed (3 open source, 3 proprietary). Results hinted that DDS's security mechanisms were not secure and much effort on this side was required to protect sensitive industrial and military systems powered by this communication middleware. The research group detected that these security issues were present in almost 650 different devices exposed on the Internet, across 34 countries and affecting 100 organizations through 89 Internet Service Providers (ISPs). | 19-04-2022 |
+| <ins>Hacking ROS 2, the Robot Operating System</ins> | [`ROS 2`](https://ros.org) | [Víctor Mayoral-Vilches](https://www.linkedin.com/in/vmayoral/) *et al.* (**various**) |  A team of security researchers led by the spanish firm Alias Robotics on their robotics focus discovered various security vulnerabilities that led to compromising the Robot Operating System 2 (ROS 2) through its underlying communication middleware (the DDS communications middleware). Researchers demonstrated how to dissect ROS 2 communications and perform ROS 2 reconnaissance, ROS 2 network denial of service through reflection attacks, and ROS 2 (Node) crashing by exploiting memory overflows which could lead to remote execution of arbitrary code. To mitigate these security vulnerabilities, Alias Robotics contributed to various open source tools including to SROS2 with a series of developer tool extensions that help detect some of these insecurities in ROS 2 and DDS. ROS 2 *community-owner* Open Robotics did not follow up with these results or contributions and disregarded overall its relevance, pushing security responsibility aside| 22-04-2022 |
+| <ins>JekyllBot:5</ins> | Aethon TUG smart robots ([various](https://aethon.com/products/)) | **Cynerio** | JekyllBot:5 is a collection of five critical zero-day vulnerabilities that enable remote control of Aethon TUG smart autonomous mobile robots and their online console, devices that are increasingly used for deliveries in global hospitals. More tech details about security findings at . | 01-04-2022 |
+| <ins>Robot Teardown, stripping industrial robots for good</ins> | Universal Robots' [`UR3`](https://www.universal-robots.com/cb3/), [`UR5`](https://www.universal-robots.com/cb3/), [`UR10`](https://www.universal-robots.com/cb3/), [`UR3e`](https://www.universal-robots.com/products/ur3-robot/), [`UR5e`](https://www.universal-robots.com/products/ur5-robot/), [`UR10e`](https://www.universal-robots.com/products/ur10-robot/) and [`UR16e`](https://www.universal-robots.com/products/ur16-robot/) | [Víctor Mayoral-Vilches](https://www.linkedin.com/in/vmayoral/) *et al.* (**various**)| This research led by Alias Robotics introduced and advocated for robot teardown as an approach to study robot hardware architectures and fuel security research. Security researchers showed how teardown can help understanding the underlying hardware for uncovering security vulnerabilities. The group showed how robot teardown helped uncover more than 100 security flaws with 17 new CVE IDs granted over a period of two years. The group also demonstrated how various robot manufacturers are employing various planned obsolescense practices and how through teardown, planned obsolescence hardware limitations can be identified and bypassed obtaining full control of the hardware and giving it back to users, which poses both an opportunity to claim the *right to repair* as well as a threat to various robot manufacturers’ business models | 20-07-2021|
+| <ins>Rogue Automation</ins> | (*various robotic programming languages/frameworks*) ABB's `Rapid`, Comau's `PDL2`, Denso's `PacScript`, Fanuc's `Karel`, Kawasaki's `AS`, Kuka's `KRL`, Mitsubishi's `Melfa`, and Universal Robots's `URScript`| [Federico Maggi](https://www.linkedin.com/in/phretor/), [Marcello Pogliani](https://www.linkedin.com/in/marcellopogliani/) (**various**)| This research unveils various hidden risks of industrial automation programming languages and frameworks used in robots from ABB, Comau, Denso, Fanuc, Kawasaki, Kuka, Mitsubishi, and Universal Robots. The security analysis performed in here reveals critical flaws across these technologies and their repercussions for smart factories.| 01-08-2020|
+| <ins>Securing disinfection robots in times of COVID-19</ins> | UVD Robots' [`UVD Robot® Model B`](https://uvd.blue-ocean-robotics.com/modelb), `UVD Robot® Model A` | [Víctor Mayoral-Vilches](https://www.linkedin.com/in/vmayoral/) *et al.* (**Alias Robotics**) | The robots used in many medical centres to fight against COVID-19 for disinfection tasks were found vulnerable to various previously reported vulnerabilities (see ) while using Ultraviolet (UV) light, which can affect humans causing suntan, sunburn or even a reportedly increased risk of skin cancer, among others. The team at Alias Robotics confirmed experimentally these issues and found many of these robots insecure, with many unpatched security flaws and easily accessible in public spaces. This led them to develop mitigations for these outstanding security flaws and offered free licenses for such patches to hospitals and industry during the pandemic | 19-09-2020 |
+| <ins>The week of Mobile Industrial Robots' bugs</ins> | Mobile Industrial Robots' [`MiR100`](https://www.mobile-industrial-robots.com/solutions/robots/mir100/), [`MiR200`](https://web.archive.org/web/20200702001019/https://www.mobile-industrial-robots.com/en/solutions/robots/mir200/), [`MiR250`](https://www.mobile-industrial-robots.com/solutions/robots/mir250/), [`MiR500`](https://web.archive.org/web/20200702031717/https://www.mobile-industrial-robots.com/en/solutions/robots/mir500/), [`MiR600`](https://www.mobile-industrial-robots.com/solutions/robots/mir600/), [`MiR1000`](https://web.archive.org/web/20200419094248/https://www.mobile-industrial-robots.com/en/solutions/robots/mir1000/), [`MiR1350`](https://www.mobile-industrial-robots.com/solutions/robots/mir1350/), Easy Robotics' [`ER200`](https://procobots.com/cnc-machine-tending/er200/), Enabled Robotics' [`ER-FLEX`](https://www.enabled-robotics.com/erflex), `ER-LITE`, `ER-ONE`, UVD Robots' [`UVD Robot® Model B`](https://uvd.blue-ocean-robotics.com/modelb), `UVD Robot® Model A`  | [Víctor Mayoral-Vilches](https://www.linkedin.com/in/vmayoral/) *et al.* (**Alias Robotics**) |  Having identified relevant preliminary security issues, after months of failed interactions with Mobile Industrial Robots’ (MiR) robot manufacturer while trying to help secure their robots, with this disclosure, Alias Robotics decided to empower end-users of Mobile Industrial Robots’ with information. The disclosure included a week of hacking efforts that finalized with the public release of  14 cybersecurity vulnerabilities affecting MiR industrial robots and other downstream manufacturers, impacting thousands of robots. More than 10 different robot types were affected operating across industrial spaces and all the way to public environments, such as airports and hospitals. 11 new CVE IDs were assigned as part of this effort |  24-06-2020 |
+| <ins>Attacks on Smart Manufacturing Systems</ins> | Mitsubishi `Melfa V-2AJ` | [Federico Maggi](https://www.linkedin.com/in/phretor/), [Marcello Pogliani](https://www.linkedin.com/in/marcellopogliani/) (**various**) |  Systematic security analysis exploring a variety of attack vectors on a real smart manufacturing system, assessing the attacks that could be feasibly launched on a complex smart manufacturing system |  01-05-2020 |
+| <ins>The week of Universal Robots' bugs</ins> | Universal Robots' [`UR3`](https://www.universal-robots.com/cb3/), [`UR5`](https://www.universal-robots.com/cb3/), [`UR10`](https://www.universal-robots.com/cb3/), [`UR3e`](https://www.universal-robots.com/products/ur3-robot/), [`UR5e`](https://www.universal-robots.com/products/ur5-robot/), [`UR10e`](https://www.universal-robots.com/products/ur10-robot/) and [`UR16e`](https://www.universal-robots.com/products/ur16-robot/) | [Víctor Mayoral-Vilches](https://www.linkedin.com/in/vmayoral/) *et al.* (**Alias Robotics**) | For years Universal Robots did not care nor responded about cybersecurity issues with their products. Motivated by this attitude, Alias Robotics' team launched an initiative to empower Universal Robots' end-users, distributors and system integrators with the information they so much require to make use of this technology securely. This effort was called the *week of Universal Robots' bugs* and in total, more than 80 security issues were reported in the robots of Universal robots|  31-03-2020 |
+| <ins>Akerbeltz: Industrial robot ransomware</ins> | Universal Robots' [`UR3`](https://www.universal-robots.com/cb3/), [`UR5`](https://www.universal-robots.com/cb3/), [`UR10`](https://www.universal-robots.com/cb3/) | [Víctor Mayoral-Vilches](https://www.linkedin.com/in/vmayoral/) *et al.* (**Alias Robotics**) | In an attempt to raise awareness and illustrate the *”insecurity by design in robotics”*, the team at Alias Robotics created *Akerbeltz*, the first known instance of industrial robot ransomware. The malware was demonstrated using the UR3 robot from a leading brand for industrial collaborative robots, Universal Robots. The team of researchers discussed the general flow of the attack including the initial cyber-intrusion, lateral movement and later control phase | 16-12-2019 |
+| <ins>Rogue Robots</ins> | ABB’s [IRB140](https://new.abb.com/products/robotics/es/robots-industriales/irb-140)| [Federico Maggi](https://www.linkedin.com/in/phretor/), [Davide Quarta](https://www.linkedin.com/in/dvqu/) *et al.* (**various**)| Explored, theoretically and experimentally, the challenges and impacts of the security of modern industrial robots. Researchers also simulated an entire attack algorithm from an entry point to infiltration and compromise to demonstrate how an attacker would make use of existing vulnerabilities in order to perform various attacks. | 01-05-2017 |
+| <ins>Hacking Robots Before Skynet</ins> | SoftBank Robotics's [`NAO`](https://www.softbankrobotics.com/emea/es/nao) and [`Pepper`](https://www.softbankrobotics.com/emea/es/pepper), UBTECH Robotics' `Alpha 1S` and `Alpha 2`, ROBOTIS' `OP2` and `THORMANG3`, Universal Robots' [`UR3`](https://www.universal-robots.com/cb3/), [`UR5`](https://www.universal-robots.com/cb3/), [`UR10`](https://www.universal-robots.com/cb3/), Rethink Robotics' `Baxter` and `Sawyer` and several robots from Asratec Corp | [Lucas Apa](https://www.linkedin.com/in/lucasapa/) and [César Cerrudo](https://www.linkedin.com/in/cesarcerrudo/) (**IOActive**)|  Discovered critical cybersecurity issues in several robots from multiple vendors which hinted about the lack of security concern and awareness in robotics. | 30-01-2017 |
+| <ins>Robot Operating System (ROS): Safe & Insecure</ins> | ROS | [Lubomir Stroetmann](https://www.linkedin.com/in/lubo-stroetmann/) (**softSCheck**) | This is one of the earliest studies touching on ROS and offers security insights and examples about the lack of security considerations in ROS and the wide attack surface exposed by it. The author hints that with ROS, protection mechanism depends on the (security) expertise of the user, which is not a good assumption in the yet security-immature robotics community. Moreover the author hints about various vulnerabilities that are easily exploitable due to the XMLRPC adoption within the ROS message-passing infrastructure including various XML bomb attacks (e.g. "billion laughs") | 28-02-2014 |
+
+
 \newpage
 
 ## Terminology

CONTRIBUTE.md

@@ -5,9 +5,10 @@ Content's made with an open and commercially friendly license so so that you can
 
 # PDF versions
 
-Download [`RHM v0.4`](https://github.com/vmayoral/robot_hacking_manual/releases/download/0.4/RHM.pdf).
+Download [`RHM v0.5`](https://github.com/vmayoral/robot_hacking_manual/releases/download/0.5/RHM.pdf).
 
 PDF versions are generated for every release. Check out all the releases [here](https://github.com/vmayoral/robot_hacking_manual/releases):
 
+- [`RHM v0.5`](https://github.com/vmayoral/robot_hacking_manual/releases/download/0.5/RHM.pdf)
 - [`RHM v0.4`](https://github.com/vmayoral/robot_hacking_manual/releases/download/0.4/RHM.pdf)
 - [`RHM v0.3`](https://github.com/vmayoral/robot_hacking_manual/releases/download/0.3/RHM.pdf)

INDEX.md

@@ -1,7 +1,7 @@
 ---
-title: "**RHM `0.4`**: Robot Hacking Manual"
+title: "**RHM `0.5`**: Robot Hacking Manual"
 author: [Víctor Mayoral-Vilches]
-date: "**version `0.4`** (2021-12-12)"
+date: "**version `0.5`** (2022-08-03)"
 toc: true
 subject: "Markdown"
 keywords: [Robotics, Cybersecurity, Hacking, Pentesting, Offensive]

README.md

@@ -1,6 +1,6 @@
 # `RHM`: Robot Hacking Manual
 
-[<ins>Download in PDF `RHM v0.4`<ins>](https://github.com/vmayoral/robot_hacking_manual/releases/download/0.4/RHM.pdf) ┃ <span style="background-color: #FFFF00">[Read online](https://rhm.cybersecurityrobotics.net/)</span> | <span style="background-color: #FFFF00">[Robot hacks](https://github.com/vmayoral/robot_hacking_manual#robot-hacks)</span>
+[<ins>Download in PDF `RHM v0.5`<ins>](https://github.com/vmayoral/robot_hacking_manual/releases/download/0.5/RHM.pdf) ┃ <span style="background-color: #FFFF00">[Read online](https://rhm.cybersecurityrobotics.net/)</span> | <span style="background-color: #FFFF00">[Robot hacks](https://github.com/vmayoral/robot_hacking_manual#robot-hacks)</span>
 
 The *Robot Hacking Manual* (`RHM`) is an introductory series about cybersecurity for robots, with an attempt to provide comprehensive case studies and step-by-step tutorials with the intent to raise awareness in the field and highlight the importance of taking a *security-first*[^0] approach. The material available here is also a personal learning attempt and it's disconnected from any particular organization. Content is provided as is and **by no means I encourage or promote the unauthorized tampering of robotic systems or related technologies**.
 
@@ -20,8 +20,10 @@ Cite this work:
 - [**Motivation**](MOTIVATION.md#motivation)
 - [**A containerized approach**](MOTIVATION.md#a-containerized-approach)
 - [**Contribute back**](CONTRIBUTE.md)
+- [**Cite this work**](0_introduction/README.md#cite-this-work)
 - [**Introduction**](0_introduction/README.md)
   - [About robot cybersecurity](0_introduction/README.md#about-robot-cybersecurity)
+  - [Robot hacks](0_introduction/README.md#robot-hacks)
 - <ins>**Case studies**</ins>
   - [Universal Robots' UR3](1_case_studies/0_cobot/) (hacking a collaborative robot arm)
   - [Mobile Industrial Robots' MiR100](1_case_studies/1_amr/) (hacking an industrial mobile robot)