More than 100 companies are using insecure collaborative robots putting at risk tenths of thousands of workers and infrastructures around the world. These insecurities stem from the use of technology from Universal Robots (a company owned by Teradyne). Universal Robots technology is reportedly vulnerable and the manufacturer is proactively ignoring security after repeated security reports.
The culprits behind this insecure industrial robotics landscape are collaborative robots UR3, UR5, UR10, eUR3, eUR5, eUR10 and eUR16 (all manufactured by Universal Robots) which present dozens of unpatched security flaws over an insecure file system that's not updated nor maintained according to common security practices. The current security flaws can be exploited by physical and remote attack vectors and can enable cyber-criminals to , (and/or connected vulnerable machines) or even after the attackers disable their safety mechanisms, which can be done remotely.
The current security flaws can be exploited by physical and remote attack vectors and can to , (and/or connected vulnerable machines) or even after the attackers disable their safety mechanisms, which can be done remotely.
Among the companies affected, it's easy to identify international automotive companies and suppliers including Ford (Romania), Nissan (Japan), Opel (Germany) , Bajaj (India), Alpha Corporation (Japan) or Continental (Spain). From farmaceutial companies to food an agriculture processing and production, these robots are used insecurely across domains including universities (e.g. PSG College of Technology) and hospitals (e.g. Copenhagen University Hospital, Gentofte Hospital).
According to the sources used, including the official case studies  information from the very own Universal Robots, more than 90.000 workers involved in these organizations might be subject to suffer from these security flaws and the lack of security awareness of this company from the Teradyne group. The more than 100 organizations spread around the world present an average employee count of more than 650, which significantly elevates the risks given the importance of insider threats, as reported by several articles and standards including NIST SP 800-82 Guide to Industrial Control Systems (ICS) Security .
From the data availble, these insecure collaborative robots are operating in 31 countries with special representation in Denmark, Czech Republic, India and the USA.
|Country||# Companies affected|
More than 16 sectors and areas of application are affected. The following table summarizes the data collected:
|Automotive and Subcontractors||15|
|Automotive, Metal and Machining||1|
|Electronics and Technology||18|
|Home care, personal care, oils||1|
|FMCG, Pharma and Chemistry||1|
|Food, Beverage and Agriculture||11|
|Furniture and Equipment||9|
|Metal and Machining||38|
|Pharma and Chemistry||7|
|Plastic and Polymers||15|
|Scientific and Research||6|
It must be noted that the data available represents only a subset of the actual insecurity landscape. According to latest reports, Universal Robots has sold more than 42,000 robots that present critical vulnerabilities     as of latest firmware. A complete list of the companies affected is available below:
Complete list of companies affected according to data available (produced automatically)
2K Trend, a.s. AGH University of Science and Technology, Poland Aircraft Tooling Inc. Albrecht Jung GmbH und Co. KG All Axis Machining ALPHA Corporation AQUAEL AR+ ASSA ABLOY NZ ASSA ABLOY RO Atria Attl a spol. s.r.o. Továrna na stroje Aurolab Autodesk - Babo Arms Bajaj Auto BAUMRUK & BAUMRUK Beijing BAI Lear Automotive System Co., Ltd. Benchmark Electronics Thailand Betacom beyerdynamic GmbH & Co. KG - Blue Star Limited Böco Böddecker BOOG BTC Mold CO., LTD BWIndustrie Carl Zeiss Cascina Italia Clamcleats Ltd Clearpack Group CNC Trčka Comprehensive Logistics Continental Automotive Spain Coty Cosmetics COVAP Craft and Technik Industries (CATI) Creating Revolutions Darex DCL Logistics Technical College of Jutland Dynamic Group EMTEK Endutec GmbH Etalex EVCO Plastics Ferdinand Wagner Profile Fluidics Instruments B.V. FME Feinmechanik AG Ford Motor Company Franke Küchentechnik AG Fries Maschinenbau FT produktion Fusion OEM Copenhagen University Hospital, Gentofte Gern Glas GKN Driveline Glidewell Laboratories Group PSA Gustav Hensel GmbH und Co. KG - Heemskerk Fijnmechanica B.V. Hofmann Glastechnik GmbH Huis Ten Bosch Co.,Ltd. Hyundae Induction Hardening Heat Treatment (HIHHT) InPrint A/S iQLANDIA Science Center Izoelektro d.o.o. Jenny | Waltle GmbH - Konetehdas K&K Koyo Electronics Industries Lear Corporation LEAX Group Life Elettronica Srl Linaset Linatex L'Oréal India Private Limited Magneti Marelli Slovakia MANN+HUMMEL Ibérica Marka S.r.l. Melecs EWS GmbH Minitüb Mjolkursamsalan Akureyri - New Engineering Works Nichrominox Nippon Zettoc Nissan Motor Company Nordic Sugar Nortura Nymann Teknik Opel Orkla Foods Sverige Oticon OTV Plast Paradigm Electronics. PLC Industries PMI Profatec AG Prysm Industries PSG College of Technology PT JVC Electronics Indonesia RAMTEC (Robotics & Advanced Manufacturing Technology Education Collaborative). RCM Industries - RNB Cosméticos Ronet RSS Manufacturing and Phylrich Xiamen Runner Industrial Corporation RUPES SANOFI Scandinavian Tobacco Company Scott Fetzer Electrical Group. SHAD Shruti Engineers Sky Engineering SMEW Textile Machinery Pvt. Ltd. STAMIT s.r.o. Stantræk Talbot Technologies Task Force Tips TCI New Zealand Thiele thyssenkrupp Bilstein Tool Gauge Toolcraft Inc Trelleborg Sealing Solutions T&W Stamping Unilever Vinacomin Motor Industry Joint Stock Company - Voodoo Manufacturing Whippany Actuation Systems Yokota Corporation YUEYIN Technology Zippertubing Company
As indicated by Kirschgens et al. [5:1] in 2018, robots are increasingly intertwined with other facets of IT and envisioned to get much more autonomy, interacting physically with humans yet, robot security is being ignored by manufacturers. The present article illustrates this claim with evidence collected over the last two years of research in the area.
Acording to many, cobots are at the rising point of are the robotics technological revolution and hand in hand with Industry 4.0, called to change many industrial operations while influencing greatly the professional and consumer sectors. From the words of [5:2]:
we find extremely relevant to promptly alert about the imperative of ensuring a security first approach now, before new devices continue being irresponsibly rushed to the market by a number of companies. Likewise, we encourage all sides involved to develop both internal and external policies aimed at the adequate management of some of the safety and security issues
My past 10 years building robots and my daily work at Alias Robotics provides an interesting angle. From preliminar data and customer responses, it seems most of these groups are not aware of the insecurities that these robots present to them. This short essay puts this matter into perspective, and hopes to generate additional awareness across users of the robots.
To conclude, I'd once again cite Kirschgens et al. [5:3] and repeat the main question that the authors asked themselves back in 2018:
How long will it take until manufacturers notice the damages that the insecurity of these devices may cause and act? ... it seems decisive to remind that, in a world where IT and robotics are increasingly intertwined, safety and security are necessarily tightly coupled. A security-first approach is ”sine qua non” requisite for ensuring safe operations with robots.
Stouffer, K., Lightman, S., Pillitteri, V., Abrams, M., & Hahn, A. (2014). NIST special publication 800-82, revision 2: Guide to industrial control systems (ICS) security. National Institute of Standards and Technology. ↩︎
Cerrudo, C., & Apa, L. (2017). Hacking robots before skynet. IOActive Website, 1-17. ↩︎
Mayoral-Vilches, V., Juan, L. U. S., Carbajo, U. A., Campo, R., de Cámara, X. S., Urzelai, O., ... & Gil-Uriarte, E. (2019). Industrial robot ransomware: Akerbeltz. arXiv preprint arXiv:1912.07714 https://arxiv.org/pdf/1912.07714.pdf ↩︎
Kirschgens, L. A., Ugarte, I. Z., Uriarte, E. G., Rosas, A. M., & Vilches, V. M. (2018). Robot hazards: from safety to security. arXiv preprint arXiv:1806.06681 https://arxiv.org/pdf/1806.06681.pdf ↩︎ ↩︎ ↩︎ ↩︎
Alias Robotics. Week of Universal Robots' bugs. https://news.aliasrobotics.com/week-of-universal-robots-bugs-exposing-insecurity/ ↩︎