Skip to content

RVD#44: Weak authentication on robot's main computer #44

New issue
New issue
Open
Open
RVD#44: Weak authentication on robot's main computer#44
Labels
components hardwareVulnerabilities in hardware robot components (e.g. a LIDAR)robot component: IRB140's main computerseverity: high7.0 - 8.9state: newtriageNeeds triagevendor: ABBvulnerability
@aliasbot

Description

@aliasbot
aliasbot
opened on Aug 24, 2018
{
    "id": 44,
    "title": "RVD#44: Weak authentication on robot's main computer",
    "type": "vulnerability",
    "description": "Researchers discovered that an attacker can bypass the User Authentication System (UAS) because of several implementation flaws: \r\n1) disabled authentication during system boot\r\n2) use of a default user name (without a password) that cannot be changed or removed\r\n3) the use of a specific user that comes with a set of unchangeable hardcoded credentialsIt is possible to violate a robot\u2019s integrity through the control-loop alteration and calibration parameters tampering approaches described earlier. We wanted to overshoot the joints in order to collapse the robot on itself and force the servo motors beyond their physical, structural limits. Note that this attack is costly and potentially destructive because its goal is to damage the robot.Alternatively, an attacker could use the robot state alteration approach to repeatedly and abruptly start and stop a servo motor, causing electromechanical components, the brakes, and the servo motor to wear.  Acknowledgement: Davide Quarta, Marcello Pogliani, Mario Polino, Federico Maggi, Andrea M. Zanchettin, Stefano Zanero",
    "cwe": "CWE-Improper Authentication - Generic (CWE-287)",
    "cve": "None",
    "keywords": [
        "components hardware",
        "malformed",
        "robot component: IRB140's main computer",
        "severity: high",
        "state: new",
        "vendor: ABB",
        "vulnerability"
    ],
    "system": "IRB140's main computer",
    "vendor": "ABB",
    "severity": {
        "rvss-score": "None",
        "rvss-vector": "RVSS:1.0/AV:RN/AC:L/PR:H/UI:N/Y:T/S:U/C:N/I:H/A:L/H:H",
        "severity-description": "",
        "cvss-score": 0,
        "cvss-vector": ""
    },
    "links": [
        "https://github.com/aliasrobotics/RVD/issues/44"
    ],
    "flaw": {
        "phase": "unknown",
        "specificity": "N/A",
        "architectural-location": "N/A",
        "application": "N/A",
        "subsystem": "N/A",
        "package": "N/A",
        "languages": "None",
        "date-detected": "2017-05-03",
        "detected-by": "",
        "detected-by-method": "N/A",
        "date-reported": "2017-05-03",
        "reported-by": "",
        "reported-by-relationship": "N/A",
        "issue": "https://github.com/aliasrobotics/RVD/issues/44",
        "reproducibility": "",
        "trace": null,
        "reproduction": "",
        "reproduction-image": ""
    },
    "exploitation": {
        "description": "",
        "exploitation-image": "",
        "exploitation-vector": ""
    },
    "mitigation": {
        "description": "",
        "pull-request": "",
        "date-mitigation": null
    }
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    components hardwareVulnerabilities in hardware robot components (e.g. a LIDAR)robot component: IRB140's main computerseverity: high7.0 - 8.9state: newtriageNeeds triagevendor: ABBvulnerability

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions