Hacking Robotics
Kensei Demura @ken_demu
Robot Engineer/Researcher/Creator
NII (National Institute of Informatics)SIGVerse Project Developer
D.K.T. Robot School President
Background
IPA SecurityCamp 2014
● Raspberry pi IDS Development
https://github.com/kendemu/embeddids● Furniture Injection
The most popular Robot Middleware/OS
Robot Operating System
・ visualization・ IPC・ Package management・Multithread/Process/Clustering・ Image/PointCloud Processing ・ Robot Modeling / Simulation・ Cross-platform
・ Navigation・ Program Scalability
Question
Is ROS Secure?
ROS Technical Overview
・Message : XML-RPC(HTTP-based)
・ runs through TCP usually
・ The namesystem of process called “Master”
manages the services http://wiki.ros.org/ROS/Technical%20Overview
1. a service register a Name to the Master
2. a service query other services through Master
3. a service establishes TCP/IP connection with other
services
4. the services exchange the connection header
5. a service require the serialized message
6. the other service respond with the serialized message
Connection of ROS Node(Process/Service)
How about encryption?
No data
Packet Sniffing
Special thanks
Background of meeting @jitomesky
Repairing the Intel Edison which I had made a
fatal error on the Operating System side
Test Environment:Gazebo Simulator with Turtlebot
http://qiita.com/kendemu/items/f915c7c2498b04e097cc
Node Network
Result:XML-RPC Packet is not encrypted
ROS Connection I/O Graph(Red)
ROS XML-RPC Packet length
Test environment2 :Roomba
Node Network
Follow TCP Stream
Motor Commands are not encrypted
Negative effects
1. Remote Control is possible just by spoofing packets
2. How to spoof packets : TCP Spoofing
3. The robots nowadays connect to the Internet → critical problem for robots
SolutionSSH,IPSec,SLL/TLS Encryption
Problem : Slow for Robot Control
→Needs of fast encryption※Using IPSec,VPN make network connection more than 6 times slower
http://d.hatena.ne.jp/nori_no/20100919/1284875253
※ROS XML-RPC Packet length is about
400~600 bytes(496±99.8 bytes)
(by my calculation & datasets)
Conclusion
The Network Security of ROS is weak
Pepper ReverseEngineering(Legal)
Pepper : Cross DevelopmentBut wanted to do in native
environment
Normally, just the GUI Software abovePepper OS is NaoQiOS, customized Gentoo※
Nmapepper:Pepper port scan
ftp, ssh, http, teradataordbms, hydap
service open
Doing SSH in Pepper was very slow....
Fortunately, discovered MicroUSB and Ethernet port!
Connect MicroUSB to Pepper
Login Pepper with tty
gcc/g++, openni,opencv,gdb,wget,pulseaudio is usable
No X environment, package manager
Implementing git
No Make & configure tools in pepper
Conclusion
Pepper is programmable in native environment
Pepper is customizable
Implementing git
No Make & configure tools in pepper
Recommended
