Late last month, Alias Robotics released a statement noting that it had uncovered 13 security vulnerabilities affecting the open-source Robot Operating System, or ROS 2.
The Vitoria-Gasteiz, Spain-based company claimed that more than 650 devices worldwide are vulnerable. Alias Robotics said it has seen the vulnerabilities in robots owned by NASA, Huawei, and Siemens, as well as in hospitals, banks, and universities.
Alias Robotics noted that the security flaws related to ROS 2 could have “devastating consequences” if they are not addressed. ROS 2 was released in February 2015.
They could allow distributed denial-of-service (DDoS) attacks on robots, asserted Victor Mayoral Vilches, robotics architect and co-founder of Alias Robotics.
“That means you can externally induce through network connectivity large, special crafted networking packages and literally generate essentially enough problems into a robot so that it becomes unstable,” he told Robotics 24/7.
The vulnerabilities were discovered in DDS, or the Data Distribution Service. That’s the middleware software that “is the main communication bus between different robot devices,” Alias Robotics said.
Founded in 2018, Alias Robotics is a robotics cyber security consulting company. It makes an antivirus software for robots called the Robot Immune System and helps more than 20 customers around the world manage security vulnerabilities.
Open Robotics responds
But Open Robotics, the Mountain View, Calif.-based nonprofit that maintains the Robot Operating System, said in an e-mail to Robotics 24/7 that “most or all of the issues have been addressed, and exploitation in the wild has not been documented.”
It added that of the 13 common vulnerabilities and exposures (CVEs):
- “Two are for CycloneDDS, have been patched, and are related to an XML parser configuration.
- One is for FastDDS and is related to a network flooding/DDoS attack. Specific recommendations to address these types of attacks can be found here.
- Three CVEs are for OpenDDS, which is unsupported by ROS 2.
- Three CVEs are for GurumDDS, which, at Tier 3 or community support, is not in wide use.
- Four are for RTI Connext DDS, which is a proprietary DDS implementation and therefore not something that our community can address directly.”
“Given that these issues have already been reported and addressed, we frankly do not understand the reason to issue a press release,” said Katherine Scott, developer advocate at Open Robotics. “Moreover, the CVEs detail exploits in individual vendors' implementations of DDS, not core ROS libraries or the DDS specification itself. A more productive announcement would have focused on making users aware of the patched exploits, with instruction on how to update their systems.”
Alias Robotics says ROS is still vulnerable
In response to Open Robotics' statement, Vilches said, “We’ve been open with authorities and with the community about our findings. Open Robotics never reached out to us, so we frankly don’t know what they know or have understood. We are of course open to engage in conversations and support them (and any other ROS user).”
“We will soon release more information about our results in another article we are preparing jointly, and which will be released for S4 security conference,” he added. “Moreover, we have new results we plan on releasing in the near future.”
Vilches noted that Alias Robotics is still “capable of exploiting various flaws in ROS 2 Rolling. Several of the outstanding flaws remain unaddressed and/or proposed solutions don’t solve the problem. We raised open tickets indicating this and followed up with some vendors reminding them that we continue being capable of exploiting things.”
He said that more awareness and discussions need to be have about securities and robotics.
In 2020, Vilches said he presented research at the ROS-Industrial Conference Europe detailing numerous vulnerabilities in ROS. That presentation spurred Alias Robotics to start digging into the operating system more deeply, he said.
In addition, Alias worked with various international experts on its research, according to Vilches.
About the Author
Cesareo Contreras was associate editor at Robotics 24/7. Prior to working at Peerless Media, he was an award-winning reporter at the Metrowest Daily News and Milford Daily News in Massachusetts. Contreras is a graduate of Framingham State University and has a keen interest in the human side of emerging technologies.
Follow Robotics 24/7 on Facebook
Email Sign Up
Get news, papers, media and research delivered
Stay up-to-date with news and resources you need to do your job.
Research industry trends, compare companies and get market intelligence every week with Robotics 24/7.
Subscribe to our robotics user email newsletter and we'll keep you informed and up-to-date.