In our increasingly digital and increasingly connected world the opportunity for hackers to take advantage of this connectivity is growing exponentially.
New research shows that surgical robot makers are just as good at security as the rest of the world. Which means they’re very bad at it, according to University of Washington information security researchers.
The researchers targeted a telesurgery unit called the Raven II, itself developed by the University of Washington, and found an exploitable safety mechanism in the device.
The robot, being designed to be remotely controlled over the Internet, naturally needs a failsafe in case a surgeon commands a dangerous movement like moving the arm too fast, or into an unsafe position. When that happens, the system gstops in what’s called a “software E-stop”.
But this isn’t as safe as it sounds. All that’s needed for an an attacker to invoke the E-stop is to send a single packet giving a dangerous instruction. If an attacker peppers the robot with lots of malicious packets they can “stop the robot from ever being properly reset, thus effectively making a surgical procedure impossible”.
Their paper, published at Arxiv, shows a bunch of other vulnerabilities in the robot. The robot can be hijacked to carry out instructions of an attacker in what’s known as a ‘man-in-the-middle attack’. This means that a hacker can instruct the robot to hack you into tiny pieces.
It’s also prone to flooding, which means an attacker can make the robot’s motion “delayed and jerky”, the researchers write.
Fortunately there is an easy fix to the problems. By making sure the connection to the robot is carried out through a VPN, like the one we all use for working remotely, the vulnerabilities disappear.
Still, putting robots in charge of life-and-death applications isn’t somewhere that security after-the-fact is the perfect idea.