Hacked Retail Robots Can Assault Customers With Porn and Demand Bitcoin

It’s the end of your phone’s annual life cycle and you have decided to go in for an upgrade. You make your way into a local Sprint store where you are warmly greeted by Pepper, a four-foot-tall, humanoid service robot. Pepper welcomes you and asks how it can be of assistance.

Suddenly, something goes terribly wrong. Before you can avert your gaze, hardcore porn starts streaming from Pepper’s chest tablet. You plea to make the moaning stop but instead Pepper simply looks at you and angrily demands large sums of Bitcoin. You throw your hands up in defeat, unsure what to do. And then, Pepper cusses you out.

According to newly released research, this profane disruption could actually happen, and it could cost companies money.

In their March 9 paper, “Robots want bitcoins too,” IOActive security researches Lucas Apa and Cesar Cerrudo successfully created ransomware that could be used to compromise SoftBank Robotics’ NAO robot. Unlike traditional computer ransomware which threatens customers by encrypting their personal information, in the situation presented by the researches, companies that rely on these robots for service would be forced to make a decision: pay the ransom or cease business.

“The consequences would be more like preventing the robots from working,” Apa told Motherboard over the phone. “So they do not need to encrypt information they just need to take over the robot and by preventing the robot from working it automatically will start making the business lose money.”

Using their ransomware, the researchers also proved that an attacker could go beyond simply disabling the robots. Apa explained how an attacker could load ransomware onto a robot and then display profane images or issue derogatory remarks to customers. If not addressed these types of attacks could be used to weaken consumer trust in companies that use the robots for services.

While this particular malware targeted NAO, Apa said the exact same code would work on the more widely used Pepper robot. An estimated 10,000 Pepper units have been sold worldwide and are being implemented in a variety of businesses such as Pizza Hut and Sprint.

According to the researchers, robot ransomware may be more difficult to address than typical ransomware attacks for several reasons. These robots are expensive—Pepper costs nearly $9,000 over three years with service fees—and they are also difficult to factory reset.

In lieu of a factory reset, a customers may be forced to ship their robot back to a manufacturer to remove the ransomware. This process could take weeks—all the while the company may continue losing revenu. This means, according to the researchers, that an extortionist could demand higher amounts of money and victims would be more willing to pay than in traditional ransomware attacks.

Looking into the future, the researchers also explained how ransomware could affect people who use sex robots.

“In the special case of sex robots, where privacy and intimacy are a primary user concern, the lack of discretion when contacting technical support, arranging pick up and calling customer care, could incentivize users to pay a ransom for the return of a robot rather than dealing with the emotional fallout,” the report read.

A History of Vulnerabilities

This is not the first time Apa and Cerrudo have highlighted vulnerabilities within SoftBank’s robots. Last August, the team released another research paper exposing a vulnerability in the NAO and Pepper robots which could turn them into spying devices.

In that same paper, the two were also able to disable the safety protocols that prevent collaborative industrial robots manufactured by Universal Robotics from harming humans.

“We were able to disable them because there is no isolation from the safety settings on the robot and the other components,” Apa said. “There is no isolation once you hack the robot you can disable all kind of safety.”

According to Apa, these vulnerabilities are especially dangerous because human workers have a certain degree of trust working side by side with these robots.

“These type of robots work in the factory alongside people because they are collaborative robots,” he said. “In this case the people trust and they don't even use helmets.”

Apa said that some of these collaborative robots have enough strength to fracture a human skull.

In August last year IOActive was able to manipulate a vulnerability UBTech’s; Alpha 2 robot that potentially allowed it to stab people with a screwdriver.

Apa said that some some the issues regarding the ransomware could be addressed if more companies offered effective ways to factory reset their products. A factory reset would wipe clean any malware installed on the robot.

While SoftBank Robotics does offer a factory reset option for Pepper, Apa said it does not work properly and only worked for some components.

SoftBank Robotics did not respond to Motherboard’s request for comment on their factory reset standards.

“We think sometimes they [robotics companies] prioritize marketing rather than security,” Apa said. “People have a lot of expectations from robots since seven or eight years ago so they have to make a product that is for the show.'"