Gadgets & Technology, Internet of Things (IOT), News

Robot “Pepper” is easy to hack

Robot “Pepper” is easy to hack
About Author
Christian Boas

The humanoid robot “Pepper” from the manufacturer Softbank Robotics (formerly Aldebaran Robotics SAS), which is widely used in hotels and airports, is frighteningly easy to hack. This is shown by a recent study by Scandinavian researchers. Because at Pepper there are many serious security flaws. This includes, among other things, an administration via an unsecured HTTP connection and a hard-to-change default password for root access. The only bright spot: According to the researchers, these problems should be easy to solve.

security risk
Pepper is about 1.20 meters tall and somehow cute. As a result, the humanoid robot is used in Japanese banks, shops and hotels around the world and at Munich Airport. But the safety of the robot is too short, warn Alberto Giaretta from Örebro University and his colleagues at the Danish Technical University. Even in the past, there were therefore isolated reports of pepper hacks. The current study, however, is systematically concerned with the safety of the robot – and paints a devastating picture.

For example, Pepper offers users a simple web interface for administrative tasks. The access is Completely unsecured over HTTP instead of an encrypted HTTPS connection, so attackers can easily steal information such as standard user data. Worse, Pepper uses a default password for root privileges, which is relatively difficult to change. In many cases, attackers could easily gain full access to the robot after logging in as a normal user. If a hacker could not steal the password for the default user, then this is no problem, because a brute force attack works here easily.

Rework
These and other gaps show that Pepper is similarly poorly secured as many other IoT devices. Compared to cameras or routers, of course, this machine carries even greater risks. “A hacked robot, used for example in a home or worse in a public place such as an airport, can have huge consequences for the safety of people,” explains the team.

Because hackers could use it for virtual, but in the case of a robot also physical attacks. The research team also emphasizes that many of Pepper’s safety issues could be handled quite easily. This starts with the fact that HTTPS should be used for the admin page. Also against the password claw via brute force Atakken there are proven, simple safeguards. For all these solutions, however, the API of Pepper would have to be fundamentally revised.

The Study “Adding Salt to Pepper: A Structured Security Assessment on a Humanoid Robot”

To Top