Some of the most popular industrial and consumer robots are dangerously easy to hack and could be turned into bugging devices or weapons, according to researchers from IOActive Inc.


Researchers from the cybersecurity firm found major security flaws in industrial models sold by Universal Robots, a division of U.S. technology company Teradyne Inc., a Bloomberg article reports. They also cited issues with consumer robots Pepper and NAO, which are manufactured by Japan’s Softbank Group Corp., and the Alpha 1 and Alpha 2 made by China-based UBTech Robotics. These vulnerabilities could allow the robots to be turned into surveillance devices, surreptitiously spying on their owners, or enable them to be hijacked and used to physically harm people or damage property, the researchers wrote in a report.


The larger cybersecurity concern, however, may not be robots, but enterprise-wide threats stemming from the proliferation of devices on the Internet of Things. Speaking at the Gartner Security and Risk Management Summit, Toan Trinh, consulting systems engineer at Fortinet, said that rather than simply focusing on protecting new devices from the outside world, enterprise cybersecurity must also focus on connecting new devices to older, existing devices, which are most probably running old code, and protecting the entire network that such devices run on, a ZDNet article reports.


Gartner forecasts that 8.4 billion connected things will be in use worldwide in 2017, up 31 percent from 2016, and will reach 20.4 billion by 2020. The consumer segment is the largest user of connected things, 63 percent of the overall number of applications, however businesses are on pace to use 3.1 billion connected things in 2017, the firm forecasts.


“One of the issues of IoT is that there’s a lot of legacy systems and devices out there and [when people designed them] they never thought about the security aspect,” Trinh said. Compounding the situation, he continued, is that many of the businesses that manufactured or sold the devices to organizations 10 years—or more—ago are out of business, which results in the inability to patch or request support. What’s more, the prevalence of legacy systems which the rest of the organization depends on is quite heavy — something the recent WannaCry ransomware brought to the forefront, Trinh says.


“Everyday IoT—especially consumer IoT—is really designed to be useful, fun, convenient and cheap, but when you look at the manufacturing or thought process for IoT, designers must come out with a device very quickly, cheaply and easily accessible. When things are made so inexpensively, they often don’t envisage the device sitting there for five or 10 years,” he explained. Consequently, security always becomes an afterthought, he said.


According to Trinh, there are four key elements to look at from an enterprise point of view when thinking about the IoT: The device itself; the network it uses; the platform it connects to, such as the cloud; and the data that it transfers. “All of these elements need to be secured in some fashion,” he said.


“[It’s about] providing the network with the smarts to protect yourself from these devices. When a device gets introduced, that opens up your attack surface. You have to build a security fabric that controls your access layer … because today’s network is borderless,” Trinh said. “Before jumping on the IoT bandwagon, think about your network and its current status … and determine how well you can handle these devices coming on.”


What are your thoughts on enterprise cybersecurity threats stemming from IoT devices? What about your company’s suppliers and partners? Does their cybersecurity plan, or lack of a plan, introduce supply chain risk?