Robot Security Framework (RSF)

Robotics CTF, a playground for robot hacking

Introducing the Robotics CTF (RCTF), a platform for robot hacking. It provides online robotic simulation environment, accessible from any browser, 24/7 and from anywhere in the world. Through the RCTF, security researchers can familiarize with typical robotic vulnerabilities without having access to real robots.

Robots state of insecurity is onstage. There is an emerging concern about major robot vulnerabilities and their adverse consequences. However, there is still a considerable gap between robotics and cybersecurity domains. For the purpose of filling that gap, the present technical report presents the Robotics CTF (RCTF), an online playground to challenge robot security from any browser. We describe the architecture of the RCTF and provide 9 scenarios where hackers can challengethe security of different robotic setups. Our work empowers security researchers to a) reproduce virtual robotic scenarios locally and b) change the networking setup to mimic real robot targets. We advocate for hacker powered security in robotics and contribute by open sourcing our scenarios.

Try RCTF Read original paper Github repository

Introduction

The robotics landscape is rapidly evolving. Robots are spreading and will soon be everywhere. Systems traditionally employed in industry are being replaced by collaborative robots, and an increasing amount of professional and consumer robots are introduced in people’s daily activities. Following Personal Computers (PCs) and smartphones, robots are called to be the next technological revolution. Withal, robot cybersecurity is being largely underestimated, since safety cannot be granted without security .

Over the last decade, the domains of security and cybersecurity have been substantially democratized, attracting individuals to many sub-areas within security assessment. According to recent technical reports summarizing hacker's activity in different sectors , most security researchers are currently reporting vulnerabilities in websites (70.8%) or mobile phones (smartphones, 5.6%), and there is only a marginal contribution to emerging technologies such as Internet of the Things (IoT) devices (2.6%). To date, only some pioneering offensive security studies have yet published relevant data about robotics' state-of-insecurity, but it seems to be an emerging field of research. We believe that the main reasons for this lag have been twofold. In a first aspect, robot security is a complex subject from a technological perspective which requires an interdisciplinary array of backgrounds, including security researchers, roboticists, software engineers and hardware engineers. In a second aspect, there are few guidelines or tools, and little formal documentation to assess robot security. However, recent contributions have shed some light on the need of taking into account systematic security on robot deployments, inter alia .

Furthermore, some of the components of modern robotics such as the Robot Operating System (ROS, and its second version ROS 2.0) have been developed as research platforms, and were purposefully developed without any security concerns. Some recent work demonstrated that robots powered by ROS are deployed revealing major vulnerabilities and flaws or simply left unprotected. As the current state of ROS security is under question by the hacker and researcher community, there have been laudable but discrete efforts among the roboticists by adopting early security implementations. Through projects like SROS or Secure ROS, other available research works have dealt with hardening particular aspects of ROS . But, overall, those have been poorly explored in the practice. We believe that the robotics community and the ROS community could both greatly benefit from an integrative collaborative effort in an offensive security approach for robotics.

In an attempt to raise awareness around robot security, in this paper, we present the Robotics CTF (RCTF), an online playground that invites white-hat-hackers to challenge robot security easily. The Robotics CTF is designed to be an online game, available 24/7, launchable through any web browser and designed to learn robot hacking step by step. In the following section we discuss the architecture of the RCTF.

Robotics CTF (RTCF)

Motivated by the growing insecurity in the field of robotics and the lack of security countermeasures adopted by robot manufacturers, our team is proud to introduce the first Robotics Capture The Flag game: the Robotics CTF (RCTF). The RCTF has been designed to be an online playground, available 24/7 and available through any browser from anywhere in the world, to learn robot hacking step by step. White-hat hacker audience is invited to test, challenge, learn and interact with state of the art of robot environments, from an educational perspective and with robot security as the final goal. Gradually, the accomplishments during the RCTF program enable the ethical hacker to acquire the competences to assess robot security. To play the RCTF, a user needs to provide a valid e-mail address and accept the terms of use. In addition, each hacker is kindly asked to behave decorously and to not act beyond the purpose of the gamification.

Alias Robotics' RCTF consists on an array of serial scenarios that hackers have to successfully complete as fast and accurately as possible, in order to proceed to the next scenario. With each completion, the successful robot hacker will be provided with a password that allows him/her to proceed to the next. The robot hacker can review her/his position on the ranking table and compare results against the rest of the hackers in the RCTF community.

Robotics CTF is designed to provide hackers with a full experience of the security landscape in robotics. Integrated in our webpage, the platform allows to learn using tools such as ROS, is compatible with other hacking tools and provides robot simulation through Gazebo . The first scenarios are education-oriented and, by achieving those, the hacker will gain basic know-how for the forecoming challenges. The scenarios depicted in RCTF are fictitious and do not have real-world counterparts, but do certainly reflect similarities with current real platforms in robotics.

Contributing

In an attempt to contribute with the security community, we are open sourcing the scenarios at rctf-list. We envision that as new scenarios become available, the sources will remain at this repository and only a subset of them will be pushed to our web servers for experimentation. We invite the community of roboticists and security researchers to play online and get a robot hacker rank.

We also invite security researchers to share their scenarios with the RCTF community, with the chance of potentially integrating them on the RCTF game. We gladly accept contributions through Pull Requests at rctf-list. Therein, the procedure of RCTF scenario submission is summarized, which require a short description of the goal of each scenario.

Conclusions

In this work, we introduce the Robotics CTF (RCTF), a platform for robot hacking. We propose a robot hacking gamification environment, accessible from any browser, 24/7 and anywhere in the world. Throughout the full tech report, we highlight that our approach allows security researchers to a) reproduce scenarios locally and b) change the networking setup to mimic their real targets.

We invite the whole security researcher community to play the RCTF and contribute with new scenarios of their own. We also warn society about the increasing relevance of robot vulnerabilities and advocate in favour of the creation of a strong robot ethical hacker community. Ultimately, we claim that robot security could benefit greatly from hacker powered security and contribute by open sourcing the existing scenarios created by our team.

For more details about our work, read the full paper here.

Try RCTF Contribute

Acknowledgements

This research has been partially funded by the Basque Government, throughout the Business Development Agency of the Basque Country (SPRI) through the Ekintzaile 2018 program. Special thanks to BIC Araba for the support provided.

Table of Contents

Cite our work

@ARTICLE{2018arXiv181002690O, author = {{Olalde Mendia}, G. and {Usategui San Juan}, L. and {Perez Bascaran}, X. and {Bilbao Calvo}, A. and {Hern{\'a}ndez Cordero}, A. and {Zamalloa Ugarte}, I. and {Mu{\~n}iz Rosas}, A. and {Mayoral Vilches}, D. and {Ayucar Carbajo}, U. and {Alzola Kirschgens}, L. and {Mayoral Vilches}, V. and {Gil-Uriarte}, E. }, title = "{Robotics CTF (RCTF), a playground for robot hacking}", journal = {ArXiv e-prints}, archivePrefix = "arXiv", eprint = {1810.02690}, primaryClass = "cs.CY", keywords = {Computer Science - Computers and Society, Computer Science - Robotics}, year = 2018, month = oct, adsurl = {http://adsabs.harvard.edu/abs/2018arXiv181002690O}, adsnote = {Provided by the SAO/NASA Astrophysics Data System} }