A Spotlight on Security and Privacy Risks with Future Household Robots: Attacks and Lessons

Tamara Denning, Cynthia Matuszek, Karl Koscher, Joshua R. Smith, Tadayoshi Kohno (University of Washington)
In the Proceedings of the 11th International Conference on Ubiquitous Computing (UbiComp 2009), September 30th -- October 3rd 2009

Q. What is your study about?

Security and privacy of future household robots. We studied examples of today's robots in order to understand challenges for future household robots. This allows us to draw the research community's attention to addressing the security and privacy challenges with future household robots.

Q. What is a household robot?

A household robot is a mobile appliance or toy that you might purchase for your home that can interact with its environment. It might have a webcam, perform chores, or interact with your child. For example, a Roomba is a household robot, but there are many other examples of household robots today -- and there will be even more in the future.

Q. Why would a household robot be a threat to my security or privacy?

Newer household robots can be controlled via wireless networks or even over the Internet. While this makes it easier to control or check up on your robot, it also makes it easier for a (potentially malicious) third party to do the same. There are other attack vectors as well, however.

Q. What robots did you study?

The RoboSapien V2, the Rovio, and the Spykee. Our versions were purchased in or before October 2008.

Q. Are you saying that I shouldn't purchase one of these robots?

No. We are saying that there are security vulnerabilities relating to the specific versions of the robots that we studied. Any purchase decision will necessarily be made based on many factors, only one of which might be the vulnerabilities we identified. You may conclude that despite the vulnerabilities, one of these robots is right for you. In addition, we studied only three specific versions of the RoboSapien V2, the Rovio, and the Spykee. We have no reasons to believe that comparable robots from these or other manufacturers are more or less secure than the ones we studied.

Q. When did you obtain your robots?

The robots that we studied were purchased during or before October 2008. We used versions of the control software and firmware that were available at that time for our study.

Q. Do your results apply to the latest versions of these same robots, or to newer robots?

We don't know.

We have not analyzed newer versions of these robots, so if you purchase one today they may have better security and privacy properties.

At the same time, we currently have no reason to believe that newer versions of these robots -- or any other household robots -- are any more secure or private. You may want to consider taking steps to improve the security of your robot (see below).

Q. Have there been updates to the robots since the ones that you studied?

We have not analyzed any updates ourselves. However, we know that at least WowWee has added new features and upgrades to their Rovio Mobile Webcam.

Q. What are the vulnerabilities of the robots you studied?

We found several vulnerabilities in the robots that we studied:

  1. Usernames and passwords used to access and control the robots are not encrypted, except in the case of the Spykee, which only encrypts them when sent over the Internet. A malicious person could potentially intercept these to gain control of and access to the robots.
  2. The audio-visual streams are not encrypted, except in the case of the Spykee, which only encrypts them when sent over the Internet.
  3. When the Spykee uses encryption, it does so in a manner that may allow an attacker to decrypt the information (by performing a man-in-the-middle attack).
  4. The Rovio's audio-visual stream is never password-protected, even if the robot is configured to require a password.
  5. When the network supports it, the Spykee can be accessed remotely, even if the "remote access" mode is disabled. The Rovio has no way of disabling remote access.
  6. The Spykee's connection notification sound can be disabled by an attacker immediately muting the robot upon connecting.
  7. The Spykee remains connected to the Internet whenever it is on its base, even if switched off. While the audio-visual stream is disabled when the Spykee is on the base, it may be possible to override this protection, although we have not found a way to do so.

Please see our paper for more complete details.

Q. What do the vulnerabilities that you found in those robots mean?

They mean that someone might be able to drive your robot around your home, look around the house, listen in on conversations, and knock over small objects.

Q. Should I be concerned if I have a newer robot, or a robot that you haven't studied?

First, we re-emphasize the fact that the robots we studied were obtained during or before October 2008. We do not know if our discoveries apply to more recent versions of these robots, or to other household robots.

However, we also stress that if security and privacy are not adequately addressed, then there could be serious consequences for users -- especially as future robots become more sophisticated and capable.

Q. I have one of these vulnerable robots. What should I do?

First off, don't panic. We don't know of anyone who has taken over a household robot and used it for malicious purposes: we just believe in being careful.

If you own a robot exactly like the ones we studied, then there are some simple precautions that you can take today to improve the security and privacy features of your robots.

Q. Should I be concerned when I make purchases of electronic and robotic appliances in the future?

Our motivation was the scientific study of these robots. Independent of any of these robots, we feel that it's very important that consumer products for the home not compromise their users' security and privacy, especially when those products might be used by or around children. We also feel that consumers should have resources for assessing the security and privacy properties of potential purchases. For example, independent consumer advocacy groups or review agencies could publish evaluations of new consumer products from a security and privacy point of view.

Q. Where was your paper published?

Our paper was published in the proceedings of the 11th International Conference on Ubiquitous Computing (UbiComp '09) in Orlando, Florida. The paper is available at this web site: http://www.cs.washington.edu/homes/tdenning/.

Q. What were the main conclusions of your study?

The main conclusions of our study were:

Q. Do your results apply to other types of robots, such as industrial robots?

We have not analyzed robots in industrial settings. Some of our concerns will apply. For example, robots in industrial settings are cyber-physical systems, and compromises of those systems could cause significant damage. At the same time, some other factors lessen some of the issues we have uncovered. For example, industrial robots are located in more controlled environments, and might have more restricted attack vectors than household robots.