by Marc Goodman
In essence, robots are nothing more than moving computers, computers that will liberate cyber crime from behind today’s two-dimensional screens and launch it into our everyday physical world. Researchers at the University of Washington examined three home bots, including the Erector Spykee and WowWee’s Robosapien and Rovio, and uncovered significant security flaws in each, including a lack of passwords and poorly implemented or absent encryption. As a result, third parties could take over the devices from afar, move them, and remotely capture audio and video. Researchers described security in these devices as “merely an afterthought.” But as robots become more prevalent in society, moving about our world, they will join the billions of other objects connected to the IoT. As we saw previously, tens of thousands of videoconferencing systems used at law firms, pharmaceutical companies, and medical centers are deeply insecure and have been successfully hacked, even inside the Goldman Sachs boardroom. Why would telepresence bots—moving videoconference devices—be any different? These robots could follow you around, listening in, or sit there silently during meetings observing everything, excellent tools for industrial espionage. When your factory closes and the lights go out, hackers halfway around the world could commandeer the bots to case the joint. Though you might have a security guard to keep criminals out, a robotic one may already be in the building.
Hacking robots raises a number of important questions. How private is that robotic bedside consultation your doctor is providing over the Internet? Worse, those industrial bots cooking up hamburgers and slicing tomatoes will be armed with sharp knives—how do we teach them to use caution when around humans? Though most industrial robots have safety systems, as we have seen, accidents happen, including deadly ones. But robotic safety routines are encoded in computer programming, programming hackers can interfere with and disable. The next generations of powerful household robots may well be misused in ways their designers never envisioned. Just as smart-phone users jailbreak their iPhones today to remove annoying software restrictions, so too will they with their robots, opening the door to a variety of “robots gone wild” scenarios.
Consider an “in screen we trust” attack in which an employee dutifully turns off the robot before cleaning it, but a hacker has interfered to keep it on. Though the screen shows the robot and its massive industrial arms are powered off, the unsuspecting worker approaching the device finds himself grabbed by the neck, picked up, and asphyxiated, a great way to deal with that co-worker you never liked in sector 3B. To the world, it might just look like another accident. If these scenarios seem far-fetched, evidence of hacking some of the most secure robots in the world—military and police bots—already exists.
Game of Drones
You need to put drones under control. You need to lay out certain rules of engagement in order to prevent or minimize collateral casualties. It is extremely important.
VLADIMIR PUTIN
In late 2009, as the war raged on in the Middle East, U.S. Predator drones flew nearly constantly above the skies of Iraq. Their missions varied from intelligence collection to “kinetic operations against high value targets” such as launching Hellfire missiles against insurgents. The drone pilots remotely carrying out these operations seven thousand miles away in the Nevada desert intently watched live video feeds of their targets as they navigated their UAVs in pursuit of their quarry. As it turns out, they weren’t the only ones watching. Shia militants had figured out a way to hack the American flying robotic fleet and capture its live video feeds. Using a $26 piece of Russian hacker software known as SkyGrabber, commonly sold in the digital underground to steal satellite television signals, the insurgents were able to intercept the video footage emanating from the classified Predator drones. Thus as the Americans were watching the insurgents, the insurgents were watching back, providing them with a tactical advantage and vital intelligence on coalition targets. If the militants saw their house coming into close video focus, they knew it was definitely time to rapidly consider alternative housing options.
This was certainly not the only time a drone was successfully hacked; it’s even happened over the continental United States. The Department of Homeland Security uses a fleet of these UAVs to protect the border and in 2012 found out they were not nearly as secure as it had presumed. Students at the University of Texas at Austin had discovered a way to hack the drones and tried to inform DHS, which refused to believe them, saying its UAVs were “unhackable.” After months of back-and-forth, officials were finally persuaded to participate in a demonstration by the students, at which point the UT wunderkinder seized the flying robot and began flying it sharply off course, leaving DHS officials with their jaws agape. The students carried out their attack by successfully spoofing the drone’s GPS and changing its coordinates, all using hardware and software they had built at school for under $1,000. Their professor Todd Humphreys (the same man responsible for hacking the GPS on the super-yacht White Rose of Drachs mentioned earlier) astutely noted after the DHS incident, “In five or ten years we’ve got 30,000 drones inhabiting the national airspace … Each one of these could be a potential missile to be used against us.”
Others have taken notice, including the Iranians, who successfully used the same technique to jam the communication links of an American RQ-170 Sentinel drone overflying their country, forcing it into autopilot mode. The drone followed its programming and returned to base in Afghanistan, or so it thought. In reality, the Iranians had successfully spoofed the UAV’s GPS signals, flying the robotic soldier right into the hands of the Islamic Revolutionary Guard Corps. The capture of the drone and its classified technology was a significant intelligence coup for the Iranians and provided yet further evidence that the day of robo-hacking has arrived. It’s not just the drones themselves that can be hacked; so can their command-and-control systems. In 2011, a potent computer virus struck the U.S. drone fleet, infecting the cockpits of America’s Predator and Repeater UAVs, logging every keystroke of drone pilots as they flew missions over Afghanistan. The source of the breach remained unknown as of late 2014, and the incident was still under investigation.
In 2013, the serial hacker Samy Kamkar devised an attack (and posted it online for others to exploit) that allowed him to fly his own aerial drone that would seek out other flying robots in the sky, hack them, and turn them into a physical botnet army of UAVs under his control. The software, dubbed SkyJack, compromises the smart-phone wireless connections controlling drones, such as the wildly popular Parrot AR model, commonly sold at Costco, and allows hackers to commandeer a victim drone’s flight control and camera systems. Over 500,000 Parrot UAVs have been sold, and Kamkar’s technique should prove useful to hijack other drones, such as those that will undoubtedly be delivering goods around cities in the coming years—misdirecting packages and pizzas in real time. The future of robotic crime looks promising indeed to Crime, Inc., and it is beginning to dedicate significant resources to the effort.
Robots Behaving Badly
In 1982, on the streets of swanky Beverly Hills, California, police took a rather unusual perp into custody—a DC-2 robot that was illegally distributing advertising flyers in the city’s business district without a permit. When officers approached the four-foot rogue bot on wheels, they discovered a machine with an old CRT monitor and keyboard for a chest and a head shaped like an astronaut’s helmet. Police demanded the robot’s mysterious operator identify himself, but instead they were met with a barrage of insults spouting from the robot’s onboard speaker. Unamused, cops tried to disassemble the bot and take it into custody, and as they did, the robot began loudly screaming to a crowd that had gathered, “Help me! They’re trying to take me apart.” Eventually, the robot was “arrested” and transported to police headquarters by tow truck. A few hours later, Gene Beley, owner of the $30,000 robot and founder of the Android Amusement Corporation, appeared before cops with his two teenage sons dragged by their ears in tow. The boys had taken the professional robot for a “joyride” witho
ut their father’s permission. Though police considered citing Beley for the incident, they instead released the robot on his own recognizance. When Beley was interviewed by the Associated Press after arriving at his house, he noted he was glad to have the DC-2 back home, adding, “We sort of felt like a member of the family was in jail.” Though perhaps the first, the DC-2 will certainly not be the last robot arrested.
In time, robots will be used to assist in bank robberies, street holdups, and even kidnappings. Hackers have already created the R2B2, the Robotic Reconfigurable Button Basher, a machine capable of trying repeated passwords on locked, lost, or stolen iPhones and Android devices at the rate of one attempt per second. The hacking bot was built for under $50 from several servomotors, a plastic stylus, and a Webcam that “watches the phone’s screen to detect if it successfully defeated the phone’s password” (even criminals will use robots for jobs that are repetitive or dull). Robots can also be a criminal’s best friend, as police in Taiwan discovered in mid-2014 when they attempted to arrest a known armed drug dealer who had tightly protected his home with a series of surveillance robots streaming video, meant to give early warning of police presence.
As we saw in the opening of this chapter, terrorists are also using robots as weapons, and they aren’t limited to consumer-grade UAVs with small payloads. In both Iraq and Afghanistan, terrorists have turned to VBIEDs (vehicle-borne improvised explosive devices), commonly known as car bombs, to destroy multiple buildings and rock entire neighborhoods, with some vehicles’ containing up to seven thousand pounds of explosives. VBIEDs are powerful weapons and have destroyed numerous targets around the world, including Khobar Towers in Saudi Arabia, the U.S. Marine Corps barracks in Beirut, and the Murrah Federal Building in Oklahoma City.
Now terrorists are turning to robotic weapons to supplant their previous VBIED capabilities. In a video discovered online, kaffiyeh-clad engineers from Ansar al-Islam can be seen bragging about their technical abilities while huddled over, soldering computer circuit boards. In the next scene of the four-minute clip, a pickup truck is seen driving in the middle of the desert with a tripod-mounted automatic machine gun in its bed. As the camera zooms in, it is clear there is no driver in the cab, which is being operated via crude robotic controls on the steering wheel and floor pedals. Moments later numerous rounds are fired from the machine gun, as a remotely controlled robotic actuator pulls the weapon’s trigger.
Using such systems, jihadists no longer need to martyr themselves. While they may miss out on their promised seventy-two virgins, they would remain capable of coming back to fight another day. The potential for criminal abuse of self-driving vehicles has not escaped some in law enforcement, and the FBI issued an internal report citing fears about their forthcoming use as lethal weapons. Officials predicted that robotic conveyances could be used as VBIEDs preprogrammed to autonomously drive across town to detonate at their intended targets. Those fears we’ve always had about killer robots, depicted in films such as Westworld, Blade Runner, RoboCop, The Terminator, and I, Robot, may unfortunately be at the early stages of already materializing.
Attack of the Drones
Drones are scary. You can’t reason with a drone.
MATT GROENING
When Jeff Bezos, the CEO of Amazon.com, announced in late 2013 that the world’s “everything store” would soon be using octocopter drones to deliver packages to its customers, the world sat up and noticed. Sure, others had beaten Bezos to the punch, such as the entrepreneurs who launched the TacoCopter and the Burrito Bomber, not to mention the Vegas hotel that delivers chilled champagne poolside to its guests via drone, but Bezos’s announcement was different. Amazon has perfected its logistics, and getting drones to go the last mile for its customers would undoubtedly be a game changer in business. In the fall of 2014, Google successfully began delivering goods on a pilot basis via a small five-foot-wide single-wing aircraft. Dubbed Project Wing, Google’s drone can fly within a ten-mile radius of its warehouses, delivering everything from candy to dog food. The UAV also has rotors and can hover a hundred feet over a customer’s home and lower products to the ground via a cable winch before flying back to the company’s offices. Undoubtedly, there are plenty of kinks, technical and regulatory, to be worked out with these services, but in one form or another it’s a done deal: like it or not, the era of commercial and civilian drones is upon us.
Though most often associated with the military and warfare, drones can also be a force for good. Drones are being used to catch poachers in Africa and help farmers maintain their crops in America. They surveyed the damage at the Fukushima nuclear disaster site and helped after the earthquake in Haiti. Today, UAVs are chasing storms to provide early warnings of hurricanes, putting out wildfires, and transporting medicine to remote villages. Real estate agents are using them to photograph properties, and parents such as Paul Wallich of Vermont are flying quadcopters over their kids as they walk to the local school bus stop to make sure they get there safely. The Royal Canadian Mounted Police have even used their quadcopter robo-Mountie to record the first-ever case of a life saved with a UAV when they flew it over a remote area of Saskatchewan to locate a missing injured man who became lost and disoriented after his car crashed and went off the road in freezing temperatures.
The day of the drone has arrived, and Web sites such as DIY Drones have established massive communities dedicated to building personal UAVs. For consumers, businesses, and government, UAVs have become easily affordable, costing only a few hundred dollars for basic models, and come loaded with high-powered sensors such as HD cameras whose video feeds users can view on their mobile phones. Though drones are becoming increasingly popular and can be used for good, they bring with them a host of concerns beyond the privacy matters mentioned previously. Soon our skies will grow crowded with these devices. We will fondly recall the days when we could look up and see the heavens, absent legions of quadcopters pulling banners for Pepsi, Viagra, and Coppertone in what is becoming the growing field of “drone-vertising.” The problem will become much worse when the world of big-data analytics converges with robotics. Then, rather than showing you online banner ads based on your search history, cookies, and Facebook Likes, drones displaying carefully targeted ads will show up outside the window of your home or follow you down the street carrying actual banner ads. Also, more flying robots mean more accidents. If trained military pilots can have four hundred of their UAVs fall out of the sky, what will happen when the drunken kids at the frat party start playing with them?
Of course if Martha Stewart can figure out how to use a drone to surveil her property and photograph it, so too can Crime, Inc. Not only will camera-equipped UAVs be used for the obvious things like industrial espionage and casing joints for burglary, but they may also be used to help jealous husbands and wives stalk their exes, including in cases of domestic violence. Hackers have also figured out how to use drones for the purposes of communications interception, both listening in on your phone calls and tracking your every move online, with devices such as the WASP—the Wireless Aerial Surveillance Platform.
Unveiled in Las Vegas in 2011, the WASP is a small remote-controlled airplane with a six-foot wingspan. It has eleven antennas and is equipped with a variety of communications tools and sensors, including an HD camera. The WASP was designed to fly over your neighborhood and intercept the Wi-Fi signals of all those around, even those on encrypted networks. The UAV has a small onboard Linux computer that runs a variety of hacking tools, including a custom-built 340-million-word dictionary, which the drone can use to generate passwords to get brute-force access to your network in real time. The WASP also carries a rogue cell-phone tower that it can use to “impersonate” GSM mobile phone carriers. The fake cell tower tricks your mobile into connecting to the WASP and allows hackers to record all phone calls and text messages that pass through the device. Not long ago, signals intelligence capabilities such as these would have cost tens of millions of dollars and were only availab
le to the world’s most advanced militaries. The WASP was built for $6,000.
With basic drones equipped with HD cameras costing so little, they are beginning to show up in a variety of unexpected places, including at protests and riots. In Warsaw, Poland, demonstrators from the Occupy movement launched a quadcopter to document the activities of aggressive riot-clad police as they attempted to control a crowd of thousands with tear gas. The so-called Occu-copter flying a hundred feet off the ground provided protesters with stunningly clear images of police officers as they moved in column formation to try to encircle the demonstration, a powerful and previously unimaginable countersurveillance tool now in the hands of the common man. Needless to say, cops won’t be the only ones to struggle with how to respond appropriately to drones flying overhead.
Crime, Inc. has taken to flying robots as the tool of choice to smuggle weapons, cell phones, and narcotics into correctional facilities around the world. At the Provisional Detention Center São José dos Campos in São Paulo, Brazil, correctional officers observed a quadcopter drone fly over the prison walls and drop a small package in the recreational courtyard of the facility and discovered 250 grams of cocaine in the package. Outside Moscow, it was a remote-controlled helicopter that flew 700 grams into the Tula prison. In Greece, it was a box of mobile phones, and similar prison intrusion incidents have been reported from Canada to Australia and the United States. Crime, Inc. is slowly building up its robotic air force.