back to article Softbank's 'Pepper' robot is a security joke

Softbank's popular anthropomorphic robot, Pepper, has myriad security holes according to research published by Scandinavian researchers earlier this month. The 'bot allows unauthenticated root-level access, runs a Meltdown/Spectre-vulnerable processor, can be administered over unencrypted HTTP and has a default root password …

  1. as2003

    Softbank have had over a year to fix things since IOActive revealed a bunch of problems back in Jan 2017.

    Speaking of which:

    > The researchers [...] decided that while there have been various one-off stunt-hacks of the robot, they weren't aware of any systematic assessment of Pepper's security

    So they weren't aware of IOActive's work, and they don't seem to have made any attempt at responsible disclosure?

    1. Yet Another Anonymous coward Silver badge

      So in the last year there have been no massed attacks of cyber controlled killer robots?

      So obviously not a problem then - resolved

      Brought to you by the Space Shuttle safety management protocol

    2. Anonymous Coward
      Anonymous Coward

      FYI, IOActive's work is their first reference in the paper

  2. Anonymous Coward
    Anonymous Coward

    Security is critical, but

    I'm working at my second job in a row where security is critical but nobody can be bothered to read the OWASP Top 10. It's my second job in a row there there's a big steaming pile of PHP and nobody will even try maintaining a separation of data and commands, even when the tools to do that are easier than mashing a giant mess of strings together. It's my second job in a row where critical vulnerabilities flagged in a code review are ignored.

    I don't want to be called a "Tech Lead" when this crap exists. I don't want the FBI holding me for questioning when all the data and money is gone.

    1. Anonymous Coward
      Meh

      Re: Security is critical, but

      I don't want to be called a "Tech Lead" when this crap exists. I don't want the FBI holding me for questioning when all the data and money is gone.

      Document it and forget about it. If you have told your management, in writing, and they decide to do nothing about it then it is not your problem any more. They can do the explaining.

      1. BebopWeBop
        Thumb Down

        Re: Security is critical, but

        I would not be covncinced of that - culpability goes beyond simply informing management, and where the federal authorities are concerned you might be in trouble,

  3. Pascal Monett Silver badge

    Default password ?

    Misleading. A default password is just something that the hardware maker provided because there has to be one - all that needs doing is to change it. In this case, however, the password and the user name are hardcoded and are not changeable. That makes it much more than a default password. That makes it a permanent entry point to anyone who knows that information, which is just about anyone who bothers to look for it.

    The team that built this robot were obviously people without even the most basic notion of the definition of security. I mean, how hard can it be to allow for changing the bloody password ?

    1. Allan George Dyer
      Facepalm

      Re: Default password ?

      @Pascal Monett - "I mean, how hard can it be to allow for changing the bloody password ?"

      Wrong question. How did they fix the OS so that the root password was unchangeable? They made a very special effort to mess it up this badly!

      1. Anonymous Coward
        Meh

        Re: Default password ?

        Wrong question. How did they fix the OS so that the root password was unchangeable? They made a very special effort to mess it up this badly!

        If there is all this obvious stuff, then what more subtle problems will remain after these have been fixed? If there really has been little thought of security in the software, then bolting it on later is probably not going to be successful without considerable re-engineering.

      2. Anonymous Coward
        Anonymous Coward

        Re: Default password ?

        > Wrong question. How did they fix the OS so that the root password was unchangeable? They made a very special effort to mess it up this badly!

        With robotics, and some other hardware motion controller systems, the OS gets booted from flash.

        The systems I've used (not one of these robots) do allow developers to re-flash things, so the password could be changed that way if need be.

        For systems that also contain writeable storage (sd card, ssd, whatever) in theory it should be possible to store changed settings and passwords on that. Doesn't sound like that's done in that case. Not sure why.

      3. handleoclast

        Re: Default password ?

        They made a very special effort to mess it up this badly!

        Yup. And I can tell you why. I don't condone it, but I can explain it.

        Engineer demos changing password to PHB. PHB realizes that customers can change the p/w and then forget what the new password is resulting in many calls to support. So some hard-coded credentials are required just to recover from that scenario. And if you're going to have

        hard-coded credentials anyway, you might as well prevent them from changing the p/w in the first

        place, because otherwise you have to have a hard-coded user which isn't called root but has root access, and that's difficult (if you known nothing about sudoers), or an SSH cert (which, to be

        fair, creatively stupid users could delete).

        And, as somebody else said, if it's booting from non-writeable memory then why add some flash and extra code to permit changing the p/w when you don't want them to change it anyway?

        So I can see why they'd do this sort of thing, stupid though it is. A PHB on a cost-cutting exercise would naturally dictate that this be done.

      4. bombastic bob Silver badge
        Devil

        Re: Default password ?

        "How did they fix the OS so that the root password was unchangeable? They made a very special effort to mess it up this badly!"

        or maybe this was added as an 'extra security layer' to something that didn't have ANY security at all?

        according to THIS reference, it appears to use something called 'ROS' aka 'Robot Operating System' and a framework called NaoQI. [It's probably pronounced "now chi", my best guess]

        The 'NaoQI OS' is described as "the name of the operating system that manages our robots. It was custom-made by us, and it is this system that gives the robot his basic personality and enables him to come to life as soon as you switch him on. As soon as they are activated, our robots look, listen and are already active within their environments."

        Anyway, I'd say the problem is either the basic 'ROS' itself, or something that was done in the NaoQI framework that has poor security.

        /me has to wonder if a BSD-based operating system would have been a good choice, or Linux if they don't mind open sourcing the basic OS part...

    2. M man

      Re: Default password ?

      "however, the password and the user name are hardcoded and are not changeable.

      "Like bionetric fingerprints.

      So very realistic then.

  4. Mark 85
    Alert

    This steaming pile insecure chunk of hardware is apparently being sold and used. Once articles says "Pizza Hut". After all the years of bad Japanese robot-runs-amok movies you'd think they would take precautions since the next time they run amok, it could be for real.

    1. TRT Silver badge

      Godzilla is there to sort it out.

    2. Alan Brown Silver badge

      "This steaming pile is apparently being sold and used."

      Myriad experiences dealing with Japanese companies in the 1990s tells me that IOActive's report was buried by the people responsible for reporting upstream to management about such things (to save face) and steps may have been taken to obfuscate the vulnerabilities (changing the IP, or port, or attempting ti firewall out IOActive),

      The same thing will happen for this report.

      No actual securing would take place until there is a report on a few japanese news networks about the vulnerabilities, which will be the first inkling that Softbank's board of directors will have at _all_ of any problems with their fantastically wonderful Pepper bot, which their underlings have been reporting nothing but good things about.

      At that point a large amount of fecal matter will fall upon the heads of the juniors who've been covering things up and what doesn't land on them will instead hit a few air movement devices spinning at 15,000rpm

      Why does this keep happening? It's all part of The Plan: https://funnyshit.com.au/the_plan.html

  5. Sorry, you cannot reuse an old handle.

    Yes, but nowhere is explained how to "physically" connect to the device... do one need to be on the same wi-fi network to start with or what? That would imply a basic security barrier...

    1. Prst. V.Jeltz Silver badge

      Good pointy. If its not an IOT , does this matter?

      If someone has to actually walk up to your robot and stick a serial cable up its bum to do this , and its not online so cant join a bot net ...

      is it a problem? My Alarm clock can be hacked - if someone breaks in my house and changes the alarm time ... that dosent mean i want cofigurable user accounts and passwords on it .

      Its a TOY!

  6. Michael H.F. Wilkinson Silver badge
    1. Anonymous Coward
      Joke

      Re: Password == root???!!!

      It's OK a patch is coming out to change it to a super-duper, beautiful securely one, using capitals, numbers and special characters

      P4$$w0rd

      Problem solved

      1. Adrian 4

        Re: Password == root???!!!

        Better still, a completely random password

        1. TRT Silver badge

          Re: Password == root???!!!

          When figuring out a password storage methodology, you'd think that they'd at least add some salt to Pepper.

        2. handleoclast
          Coat

          Re: Password == root???!!!

          Better still, a completely random password

          Better still, no password at all. Then a cracker will spend the lifetime of the universe entering passwords and never get it.

          Actually, when my gas supplier demanded I set a password for future telephone queries, I gave "none" as the answer. "You can't do that, you have to have a password." "I know that. The password is en, oh, en, ee."

  7. Dan 55 Silver badge
    Alert

    "an intolerable and disappointing finding"

    Sounds like IT in general in 2018.

  8. Lee D Silver badge

    Though all the other things you can't really excuse, a chip vulnerable to Spectre/Meltdown is hardly surprising. They really aren't that many powerful chips on the market that aren't. And it's still quite new. And can be mostly mitigated through software (whether they have yet or not would need to be checked).

    But... buy a chip that's NOT vulnerable to it, but compatible with major operating systems. It's not easy and would likely require drastic hardware redesign (new motherboard at least, most likely, even for ARM-chips).

    I think that's just buzzword-capturing more than anything else.

  9. Milton

    There's a sketch ...

    There's a sketch ... that someone must already have produced? A Sarah Connor lookalike is trapped with no way out, as a very large, imposing humanoid, somewhat the worse for wear with a few bits of metal shining through, and one red eye straing fixedly at her, stomps toward her cowering form. Ms Connor whips out her phone, fires up an SSH client and quickly runs through an assortment of login/password combos, hitting upon "illbeback" just as the machine reaches for ther throat. Perhaps the closing shot is our heroine and her new buddy skipping into the sunset.

    If you think this is silly—which it really, really is—consider the folks who are building robots and drones and all sorts of automated physical devices, some able to harm people incidentally and others actually designed for it ... without thinking first, middle and last about security.

    One of the things we've learned in the past 40 years is that there is always a way, sometimes unbelievably sneaky and subtle, cunning, complex and circuitous, to compromise a device. And as devices get more complicated, with parts and code sourced hither and yon, the problem multiplies. every time you go to great lengths to plug one leak, another springs open elsewhere.

    You'd like to believe that the people coding and building drones (whether land, air or sea) to be armed with actual weapons like missiles and torpedoes, will ask themselves: what do we do if the adversary seizes control? What contingency have we built in? How do we override the protocols? How do we prevent the overrides being overridden? Will we even know before a Maverick comes through the roof of the bunker?

    My suspicion is that while the techies will raise these issues, the politicians (who are mostly ignorant idiots) and the generals (who are soldiers, who for the whole of human military history have just wanted Stuff That Works Even After You've Dragged It Through A Swamp) will never take security quite seriously enough. Until, perhaps, the drone that's supposed to be protecting the White House instead puts a warhead through the window of the Oval Office. (This may not be a total tragedy, but the next president might not be a lunatic manchild.)

    Quite aside from the ethics of the situation (to which politicians are immune anyway), I'd suggest that the overwhelming primary reason not to arm robots is that you cannot guarantee you won't be the target.

    1. Charles 9

      Re: There's a sketch ...

      "Quite aside from the ethics of the situation (to which politicians are immune anyway), I'd suggest that the overwhelming primary reason not to arm robots is that you cannot guarantee you won't be the target."

      Only one problem: what you say about robots can be said about humans, too! It's a dilemma: you need a means to defend yourself, but what's to stop the means of defending yourself being used to usurp you instead?

      1. M man

        Re: There's a sketch ...

        "Only one problem: what you say about robots can be said about humans, too! It's a dilemma: you need a means to defend yourself, but what's to stop the means of defending yourself being used to usurp you instead?"

        In a Democracy HUMANS are you!

        1. Anonymous Coward
          Anonymous Coward

          Re: There's a sketch ...

          In a real-world democracy, humans are DUMB. They just want to get through their day with as few complications as possible. To such people, voting is a complication and very hard to fix, which is probably why the Founding Fathers originally wanted only significant landowners to be able to vote: on the reasoning that such people would actually have skin in the game and would pay more attention.

  10. g00se
    Linux

    .fail

    the application performs no control over the file extension. As a matter of fact, we were able to upload images, text files which extensions have been modified to images, and even plain text files without performing extension editing

    Actually Unixes don't use the lame and naive system of determining a file's type by looking at its extension. They use magic numbers - a binary analysis of the file. And that's what should be employed in input sanitization if indeed that's required in what i'm surmising is an image viewer. e.g. if you pass a non-image file to feh, it will tell you there's no "loader for that file format"

    1. Charles 9

      Re: .fail

      The problem with magic numbers is that you can have false flags, such as a malware that passes itself as a JPEG or whatever by hiding itself with magic numbers. Plus, there are common container formats that nonetheless may need to be processed differently (for example, how will a magic number analyzer tell the difference between a zip, an epub, and a cbz using just magic numbers?)

  11. Zippy's Sausage Factory
    Joke

    But the default user / password says "no" in Portuguese. I mean, that's secure, right?

  12. Adrian 4

    too much security

    I'm starting to get the impression that some of these 'security researchers' are just making a mountain out of a molehill for the sake of publicity.

    Not EVERYTHING has to be secure by design. Especially things that are toys, or research tools.

    I've got a drawerful of sharp knives in my kitchen. Someone could easily break a window, climb in and kill me with them.

    I've got a garage full of tools to help them break in. A gas pipe full of gas to set a fire with. A water tap that could be used to construct a DoS moat. A piggy bank that can be robbed just by dropping it and stealing the £5 that falls out.

    Get a grip folks. If you're going to pick faults in things that don't actually need to be secure, at least write up a decent abuse scenario and risk management strategy. So we can decide if we actually give a ff.

    1. Anonymous Coward
      Anonymous Coward

      Re: too much security

      Really? So toys don't need to be secure? It's fine if someone records your kids whilst playing with the toys or just generally records your house? Or they use it to talk to your child when you're not around. All sounds great to me.

      Now lets apply it to a robot, something that can actually move and interact with the world around it, class it as a toy or not, if someone gains control over that it could actually prove fatal should that person really be up to no good. "Hey 2 year old, follow me, your cute toy robot out in to the road".

      Then there's having something insecure on your network and it acting as a jumping off point for other attacks etc. etc. etc.

      Clearly you've not worked around IT for long if you think something doesn't need to be secure just because it isn't running a critical system.

      1. Adrian 4

        Re: too much security

        You've made a big assumption there. That the toy is on the other end of a routable internet connection. Sure, if that's the case you deserve everything you get.

        Clue : Having an IP address doesn't mean you're open to the internet, any more than having your bedroom door open means you're welcoming the public in.

        Why on earth would you put an unknown device on your internal network without firewalling it off ? Security belongs at the borders. That's why you don't need to care about the internal security of these devices - because if your network allows them incoming or outgoing access you've lost.

        Expecting any vendor - especially malicious ones - to do your security at the device level is silly. A toy isn't going to be as hardened (or as trustworthy) as a gateway router so why even waste your time testing it ? Put the security where it's under your control, not the toy manufacturer's.

        1. Allan George Dyer

          Re: too much security

          @Adrian 4 - "Security belongs at the borders."

          No, you should have defence in depth. A mischievous employee could mess around. Malware can turn a device on your network into an entry point for launching further attacks on vulnerable devices like Pepper. Only securing your borders is eggshell security: strong, until it cracks.

          Pepper is being deployed as a receptionist, and in banks, medical centres and restaurants, which are all public or semi-public areas, where visitors might be connecting to the organisation's network.

          We need the manufacturers to give users control of the device security, so let's see more of these security fail articles.

          1. Charles 9

            Re: too much security

            "We need the manufacturers to give users control of the device security, so let's see more of these security fail articles."

            And what happens WHEN (not IF) you end up with user failures and complaints that the cure is worse than the disease?

    2. HieronymusBloggs

      Re: too much security

      "I've got a drawerful of sharp knives in my kitchen. Someone could easily break a window, climb in and kill me with them."

      From the other end of an internet connection? I'm impressed.

  13. Nick Kew
    Pint

    Anthropomorphic?

    If a robot is anthropomorphic, should it not - more or less by definition - be full of security holes and other flaws?

    Beer - 'cos we should be able to relax with our anthropomorphic friends.

    1. TRT Silver badge

      Re: Anthropomorphic?

      The holes aren't for security. They're because the robot is "fully functional".

      1. Anonymous Coward
        Anonymous Coward

        Re: Anthropomorphic?

        Sure, but Pepper doesn't have to be quite that slutty.

  14. 9Rune5

    Uploading plain text is bad, mhkay?

    As a matter of fact, we were able to upload images, text files which extensions have been modified to images, and even plain text files without performing extension editing

    The significance of this escapes me.

    Yes, it accepts bad input, but what happens next? A badly written parser can be susceptible to buffer overflow attacks and similar, but a file's extension is irrelevant. So, what are the researchers trying to tell us here?

  15. Crisp

    What could go wrong?

    # SET KillAllHumans = 1

    1. Dan 55 Silver badge

      Re: What could go wrong?

      Phew, luckily it was commented out.

  16. Anonymous South African Coward Bronze badge

    Simon's getting his Boss to order a couple dozen of Pepper bots post haste.

  17. This post has been deleted by its author

  18. jelabarre59

    Nao?

    A bit of Ettercap and Wireshark work revealed that the admin page is unsecured, which leaves naked the user/password pair of the only user account offered, called nao.

    So that's what Nao Okuda is working on now?

  19. fajensen

    It needs a chainsaw!

    Because- It’s too weak-looking and cute for anyone even hacking the thing, never mind fixing the security flaws.

    Adding a little risk in the game will motivate both sides and some good YouTube stuff will come out of it as well.

  20. Mr Dogshit

    There's nothing like a Pepper™

  21. JassMan
    Joke

    Are they sure it isn't actually an IoT device?

    The 'bot allows unauthenticated root-level access, runs a Meltdown/Spectre-vulnerable processor, can be administered over unencrypted HTTP and has a default root password.

    It seems that in order for any device to be labelled as IoT these are just the kind of attributes it needs.

  22. Astara

    problem is not IoT, it's no "home (as in private) networks".

    Not every toy was designed to be an internet protected appliance.

    Use it at home on a closed network.

    All my home devices are on a closed network and would have to, at least, go out through a proxy, so please stop portraying every network-capable device as a disaster. People need to start having 'home networks' with the same basic expectations as a home bedroom or bathroom -- something that isn't automatically connected to every hacker on the internet.

    Rather that try to raise expenses and force security on every home device like toilets, toasters, refrigerators, etc... you need to focus on people having a 'home space' that includes a closed home network.

    1. Anonymous Coward
      Anonymous Coward

      fine print

      Unless (or especially if?) you're in Singapore.

    2. Allan George Dyer

      Re: problem is not IoT, it's no "home (as in private) networks".

      @Astara - All those devices already meet certain design and safety standards: toilets prevent the output contaminating the fresh water supply; toasters meet fire and electrical safety regulations; fridges don't leak dangerous refrigerant. The problem is, we don't have IoT security standards that manufacturers have to follow.

      1. Charles 9

        Re: problem is not IoT, it's no "home (as in private) networks".

        "All those devices already meet certain design and safety standards: toilets prevent the output contaminating the fresh water supply; toasters meet fire and electrical safety regulations; fridges don't leak dangerous refrigerant. The problem is, we don't have IoT security standards that manufacturers have to follow."

        And yet people STILL complain when (a) people pour bleach and ammonia down the bowl trying to bust up a crap clog, (b) people stick forks in the toaster, (c) people chisel ice off the freezer and punch the refrigerant feed, etc. And that's dealing with products that are manufactured or at least assembled domestically. At some point, you have to wonder if you're expecting too much of the average consumer. Turning security over to the end user doesn't mean much if they're the LEAST competent people at the job.

        1. Alan Brown Silver badge

          Re: problem is not IoT, it's no "home (as in private) networks".

          "Turning security over to the end user doesn't mean much if they're the LEAST competent people at the job."

          They can't be any worse than the average UK ISP installer.

          1. Charles 9

            Re: problem is not IoT, it's no "home (as in private) networks".

            THEY have standards to meet, or they can be shut down by the government, no? I mean, we don't expect car owners to know how to tear down their engines, but mechanics are set to higher standards...

    3. Anonymous Coward
      Anonymous Coward

      Re: problem is not IoT, it's no "home (as in private) networks".

      So you reckon the average joe no IT experience 'I just want it to work' home user should suddenly become a network security expert and configure their home set-up correctly??

      You do not understand non techies..

      Most people get their router set-up by the nice young man who comes to install the broadband and never touch it again. Good luck turning those people into security experts. Heck, the broadband installer is normally a telecoms guy, not a networks expert either.

    4. Alan Brown Silver badge

      Re: problem is not IoT, it's no "home (as in private) networks".

      "All my home devices are on a closed network and would have to, at least, go out through a proxy,"

      until they open ports on the firewall using uPNP

      IoT devices are being used quite successfully as DDOS vectors because home networks _don't_ firewall output traffic. If you're fingered as part of a DDoS botnet and you haven't secured your devices, what will your insurer do with your public liability insurance (hint: wilful negligence clauses)

      And there's the issue that if something gets cracked on your network and commands the (unsecured) toaster to fire up, how long will it take before your house burns down - and will the insurance company payout on that?

  23. RareToy

    Robots are like any other machine. They're either a benefit or a hazard. If they're a benefit it's not my problem.

  24. Anonymous Coward
    Anonymous Coward

    Not surprising

    When I worked in their production DC in Tokyo a few years back each server had the same 5 digit root password and no patches were ever applied.

    1. Alan Brown Silver badge

      Re: Not surprising

      "each server had the same 5 digit root password "

      31415 ?

      (You'd be surprised how common that one is, usually from people who should know better.)

      1. Charles 9

        Re: Not surprising

        Should, but DON'T. So new adage: if people are expected to know better, assume they DON'T.

  25. Astara

    And how did security researchers sell their services to inventor before hand?

    The security researchers are a bunch of idiots. They claim any toy needs to NOT be vulnerable to various security hacks. Baloney! The toy is not meant to be used in a hostile environment or hooked up to an outside internet. End of discussion.

    Until you prove it is designed to be a network attached security product, you are an idiot if you believe that security was considered as part of coming up with a new idea. You can't saddle every toy or object ever invented with the baggage of psychopaths our culture nurtures, encourage and reward with stock options and company titles.

    In most capitalistic based cultures, getting rich by turning others into human assets (or capital) and having them managed as human resources is the way businesses operate.

    The internet and early computers were developed by idealistic, forward looking pioneers who fully thought there inventions were going to be used in a futuristic start-trek type world where money is obsolete and people no longer work at jobs because they need money but for self-actualization. Does anyone remember the star-trekNG episode where the hibernating/frozen capitalist awoke and found all his capital investments and projects were worthless because the idea of collecting and possessing more and more capital was obsolete? The idea of acquiring more capital so as to be able to dominate and control more people was obsolete.

    Security is what you get when your ideals get jaded and you get ripped off. Eventually you get paranoid enough to think of anyone with more power is a threat that must be neutralized -- then you are ready for a position in national security.

    *You can't expect creativity to flow in an atmosphere of fear*

    If you focus on security, don't expect them to come up with novel new inventions other than new ways to be more secure.

    None of these statements mean that we shouldn't spend on security and defense -- but doing so takes more than equivalent share out of the ability of the society to be creative and productive. Criticizing inventors for not being security experts will only suppress more invention. The research need to work alot more on social skills and how to add security than making pronouncements in public about how bad some new invention or product is because the security expert was able to find 100 new exploits. Isn't that a surprise -- the security expert could find 100 exploits (while inventing nothing) while the inventor creates 100 new products (all w/o security).

    Looking at it another way -- how many security experts come up with novel products unlike anything before that have nothing to do with security? Why would they expect inventors to come up with pre-secured inventions? The security types need to work with interpersonal relationship types to find ways to get their information and services to the inventor types in a way that the inventors will want to incorporate such ideas.

    Like any of that is likely to happen as long as a culture is only focused on cost & making the most money.

    1. Anonymous Coward
      Anonymous Coward

      Re: false dichotomy maybe

      Inventors don't have to *be* security experts, but they certainly could have *consulted with one*. If you go through all the trouble to embed an entire computer in your thing, you don't get to plead ignorance.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like