SoftBank's Pepper AI bot is riddled with security bugs

[steven36]

Boffins reckon the robot is 'astonishingly insecure' and a potential cyber menace

 

 

 

BOFFINS HAVE BRANDED SoftBank's Pepper robot as "astonishingly insecure" and reckon it could be used as a "cyber weapon".

 

In a paper smartly titled ‘Adding Salt to Pepper: A Structured Security Assessment over a Humanoid Robot', academics from Michele De Donno and Nicola Dragoni of the Technical University of Sweden and Alberto Giaretta from Orebro University threw some shade at Pepper, the friendly-come-creepy looking bot.

 

The researchers found that Pepper, which used a fair bit as a form of robotic assistant and information spouter in Japan, was rife with security flaws. Such holes could allow hackers to gain unauthorised remote access to Pepper, potentially making the innocent robot go rogue.

 

"We were able to steal the login credentials, perform a privilege escalation, and steal data. Moreover, we found out that it is possible to physically command the robot without authentication, use it to spy people and, potentially, even directly harm them," the academic said, painting a worrying future for poor Pepper.

 

Apparently, SoftBank overlooked well-established security practices and hacking countermeasures that could keep Pepper safe from an unwanted digital prodding. As such, the robot is exposed to dangerous but basic and easily preventable flaws.

Things like Pepper's admin page were found to be unsecured and have basic default root passwords rather than more solid authentication credentials. And its internal processor was also found to be vulnerable to the Spectre and Meltdown bugs

And the bad news keeps coming as the boffins found that Pepper's APIs exposed its sensors, cameras, microphones, and moving parts to hackers, who can control the robot through programs stored on it locally or through scripts remotely executed.

 

Such vulnerabilities could allow people with hacking skills to see and hear what the robot does as it goes about its duties helping humans. It could even be used to attack people given the APIs could be exploited to move the robot's arms and make it grab things -Pepper could be turned into a groping sex-pest droid, for example.

 

Pepper's built-in touchscreen could also be hacked and made to display any file a hacker wanted it to, so it could present tourists looking for information and directions with bogus maps or lewd images.

While some of the blame for these flaws rest with SoftBank and a seeming lack of scrutiny of the robot's security and APIs, the original builders of Pepper Aldebaran Robotic, which SoftBank snapped up in 2015, are the core culprits.

 

The company appeared to be fairly lax in ensuring its robot was secure, but such oversights can happen when developing rather futuristic-tech. Many smart Internet of Things devices have been rushed to market in order to get cool gadgets out and about without necessarily considering the cybersecurity risks they could pose or their lack of proper anti-hacking software.

 

And the researchers reckon more caution needs to be taken when making smart robots, rather than pushing them out into the world to show off fancy tech.

"We have the feeling that commercial robots get on the market too quickly, evolving from research frameworks to final products without enough security investigation from the manufacturers," the academics said, noting the need for stricter security evaluation.

In a world increasingly moving toward automation, with Google's smart tech being able to mimic human phone conversations and Microsoft's artificial intelligence work partially following suit, it looks like smart robot tech is here to stay. We only hope the future bots aren't riddled with security holes as we're getting bored of people chirpsing on about the rise of the machine and human-hurting robots.

 

Source