Wednesday, January 26, 2011

Please Secure Your Robot: Part 2 of 5

Authentication is the process of determining if the user is who they say they are. It is the first line of defense and the absolute minimum requirement for a secure system.

A proper authentication system requires that each user has a separate userid. This requirement is to ensure that operators understand that they are personally responsible for the use of the equipment. Production systems should have operator accounts which are separate from maintenance and administrative accounts to prevent tampering with system logs. Research systems will obviously have different requirements but separate accounts can still be implemented with judicious use of sudo.

Some might make the excuse that passwords will get in the way of field operations, however systems such as fingerprint readers and cellphone key-lock style pin entry provide examples of how users can be authenticated quickly. While it may not provide the most robust security it will help enable logging and may help prevent casual system abuses. While managing multiple accounts may be beyond the capabilities of some embedded robotic systems, even the smallest networked robot deserves a password.

The first easy solution for better robot security is to stop shipping robots with a default password. Users should be forced to choose a unique password upon startup, just like when you setup your WiFi access point, because we learned what happened when Linksys set a default password for all of it's WiFi routers. If your robot has a default password please change it before you find it has left you. Providing a system for multiple users to operate the robot should not be much harder and will greatly improve security with minimal additional engineering costs.

Sometimes I wonder if all commercial robots ship with a default password. I wonder if I'll wake up one day and find out that someone has stolen one of the military's hunter-killer drones out of the air because it had a user name of 'atomics' and the password was 'atomics'.

Ok so you are still not convinced that you need to get rid out default passwords, so let me tell you a true story of robots and default passwords. I'll leave out the names of the guilty for entertainment value as you will see this could have been anyone.

Once I was watching a representative from a robotics company, whose robot you have probably seen on YouTube, give a talk about their robot and how it was useful and why you should buy one. When the presenter got to the slide that describes how you can connect to the robot using WiFi, the person sitting next to me opens their laptop and attempts to connect to it. It asks them for a user name and password which they obviously don't have, so they download the robot's user manual and lookup the default password. They are now logged into the robot that is on the stage in front of the entire audience while the presenter is completely unaware that the robot is no longer under their control. While at the time I suggested that it would be impolite to interrupt the presentation, I am now convinced that it would be an embarrassing but relatively harmless learning experience for the industry.

So in conclusion, robots should not have a default password. A unique administrative password should be set during initial configuration. At the very least you may want to change the default password before you give your next presentation, and certainly before the next CES.

No comments: