Hacking Robotics(English Version)

Hacking Robotics

Kensei Demura @ken_demu

Robot Engineer/Researcher/Creator

NII (National Institute of Informatics)SIGVerse Project Developer

D.K.T. Robot School President

Background

IPA SecurityCamp 2014

● Raspberry pi IDS Development

https://github.com/kendemu/embeddids● Furniture Injection

The most popular Robot Middleware/OS

Robot Operating System

・ visualization・ IPC・ Package management・Multithread/Process/Clustering・ Image/PointCloud Processing ・ Robot Modeling / Simulation・ Cross-platform

・ Navigation・ Program Scalability

Question

Is ROS Secure?

ROS Technical Overview

・Message : XML-RPC(HTTP-based)

・ runs through TCP usually

・ The namesystem of process called “Master”

　 manages the services 　http://wiki.ros.org/ROS/Technical%20Overview

1. a service register a Name to the Master

2. a service query other services through Master

3. a service establishes TCP/IP connection with other

services

4. the services exchange the connection header

5. a service require the serialized message

6. the other service respond with the serialized message

Connection of ROS Node(Process/Service)

How about encryption？

No data

Packet Sniffing

Special thanks

Background of meeting @jitomesky

Repairing the Intel Edison which I had made a

fatal error on the Operating System side

Test Environment:Gazebo Simulator with Turtlebot

http://qiita.com/kendemu/items/f915c7c2498b04e097cc

Node Network

Result:XML-RPC Packet is not encrypted

ROS Connection I/O Graph(Red)

ROS XML-RPC Packet length

Test environment２ :Roomba

Node Network

Follow TCP Stream

Motor Commands are not encrypted

Negative effects

1. Remote Control is possible just by spoofing packets

2. How to spoof packets : TCP Spoofing

3. The robots nowadays connect to the Internet → critical problem for robots

SolutionSSH,IPSec,SLL/TLS Encryption

Problem ： Slow for Robot Control

→Needs of fast encryption※Using IPSec,VPN make network connection more than 6 times slower

http://d.hatena.ne.jp/nori_no/20100919/1284875253

※ROS XML-RPC Packet length is about

400~600 bytes(496±99.8 bytes)

(by my calculation & datasets) 　

Conclusion

The Network Security of ROS is weak

Pepper ReverseEngineering(Legal)

Pepper : Cross DevelopmentBut wanted to do in native

environment

Normally, just the GUI Software abovePepper OS is NaoQiOS, customized Gentoo※

Nmapepper:Pepper port scan

ftp, ssh, http, teradataordbms, hydap

service open

Doing SSH in Pepper was very slow....

Fortunately, discovered MicroUSB and Ethernet port!

Connect MicroUSB to Pepper

Login Pepper with tty

gcc/g++, openni,opencv,gdb,wget,pulseaudio is usable

No X environment, package manager

Implementing git

No Make & configure tools in pepper

Conclusion

Pepper is programmable in native environment

Pepper is customizable

Implementing git

No Make & configure tools in pepper