Hacking Robotics(English Version)

  • View
    520

  • Download
    0

Embed Size (px)

Transcript

Hacking Robotics

Kensei Demura @ken_demu

Robot Engineer/Researcher/Creator

NII (National Institute of Informatics)
SIGVerse Project Developer

D.K.T. Robot School President

Background

IPA SecurityCamp 2014

Raspberry pi IDS Developmenthttps://github.com/kendemu/embeddids

Furniture Injection

The most popular Robot Middleware/OS

Robot Operating System

visualizationIPCPackage managementMultithread/Process/ClusteringImage/PointCloud Processing Robot Modeling / SimulationCross-platform NavigationProgram Scalability

Question

Is ROS Secure?

ROS Technical Overview

Message : XML-RPC(HTTP-based)runs through TCP usuallyThe namesystem of process called Master manages the services http://wiki.ros.org/ROS/Technical%20Overview

1. a service register a Name to the Master2. a service query other services through Master3. a service establishes TCP/IP connection with otherservices4. the services exchange the connection header5. a service require the serialized message6. the other service respond with the serialized message

Connection of ROS Node(Process/Service)

How about encryption

No data

Packet Sniffing

Special thanks

Background of meeting @jitomesky

Repairing the Intel Edison which I had made afatal error on the Operating System side

Test Environment:
Gazebo Simulator with Turtlebot

http://qiita.com/kendemu/items/f915c7c2498b04e097cc

Node Network

Result:
XML-RPC Packet is not encrypted

ROS Connection I/O Graph(Red)

ROS XML-RPC Packet length

Test environment:Roomba

Node Network

Follow TCP Stream

Motor Commands are not encrypted

Negative effects

1. Remote Control is possible just by spoofing packets

2. How to spoof packets : TCP Spoofing

3. The robots nowadays connect to the Internet critical problem for robots

Solution

SSH,IPSec,SLL/TLS EncryptionProblem Slow for Robot ControlNeeds of fast encryptionUsing IPSec,VPN make network connection more than 6 times slower http://d.hatena.ne.jp/nori_no/20100919/1284875253ROS XML-RPC Packet length is about 400~600 bytes(49699.8 bytes) (by my calculation & datasets)

Conclusion

The Network Security of ROS is weak

Pepper Reverse
Engineering(Legal)

Pepper : Cross Development
But wanted to do in native environment

Normally, just the GUI Software above
Pepper OS is NaoQiOS, customized Gentoo

Nmapepper:
Pepper port scan

ftp, ssh, http, teradataordbms, hydapservice open

Doing SSH in Pepper was very slow....

Fortunately, discovered MicroUSB and Ethernet port!

Connect MicroUSB to Pepper

Login Pepper with tty

gcc/g++, openni,opencv,gdb,wget,pulseaudio is usableNo X environment, package manager

Implementing git

No Make & configure tools in pepper

Conclusion

Pepper is programmable in native environmentPepper is customizable

Implementing git

No Make & configure tools in pepper