Consumer adoption of robotic devices to perform repetitive tasks like lawn cutting, vacuum cleaning, and clothes ironing is becoming an established market. As better-performing and more economically attractive products reach the market, predictions are that market growth will strengthen. New applications of this technology are also in development; toys that entertain and educate children without parental supervision, or mobile assistants that will respond to commands and have the flexibility and ability to perform menial tasks such as fetching a drink from the refrigerator or loading a dishwasher. A consequence of this growing market of consumer robotics technology is the cybersecurity risks and the effects that such devices bring into the home. Manufacturers must be conscious of these risks to develop safe and secure consumer products.
Consumer adoption of robotic devices to perform repetitive tasks like lawn cutting is now proven. Robot vacuum cleaners are now commonplace, and the Covid-19 pandemic has seen the appearance of autonomous sanitizing machines in hospitals and indoor public spaces.
Robotic assistants are available that manage a range of simple functions, including handling chores, environmental monitoring, and even providing entertainment. Such robot assistants are available now in select countries, but the market is immature and pricing makes sales challenging at present.
Artificial intelligence, mobility and processing capabilities bring the reality of science fiction androids closer to deliverable products. In the near future, such devices will provide medical care and assistance for persons with age-related issues, impairments or disabilities where round-the-clock services can be provided with significant financial benefits over traditional care solutions.
What are the risks?
The benefits of robotic devices can appear tremendous, but manufacturers must be aware of the safety, security and privacy risks they also bring into the home. Brand reputation can be fragile, and robot devices that accidentally put their owner into a hospital because they’ve been hacked will attract considerable media attention.
In common with other intelligent home devices, domestic robots can hold and acquire personal information that is of value to an attacker for identity theft. Robots can often observe and record their surroundings, gathering valuable intelligence that can be used to facilitate a crime, such as burglary of the premises or remote manipulation of the victim.
The main difference between robotic technology and other smart home devices is their ability to move autonomously, whether this is a vacuum cleaner navigating its way around furniture or a robotic assistant wandering around the home. Positional monitoring techniques such as visual recognition, signal reflection processing, or physical contact sensing can allow a robot to create an internal map of its operating environment. Such information can be valuable to an attacker in determining floor plans, identifying room usage based on furniture positioning, and estimating property value based on physical dimensions. Having access to such information can help a burglar identify which properties in an area are likely to deliver the most significant rewards, plan entry and egress routes and point to probable locations for items of interest. Just as satellite mapping has enabled the online casing of the outside of properties, the information contained within robotic devices can complete the picture by showing what’s under the roof.
It is also possible for an attacker to hijack the robot’s operations to perform actions that facilitate crime. Whether that is creating a distraction, disabling security controls, or causing physical damage. The more complex and capable the robot, the greater the potential to perform actions useful to an attacker. The ultimate low-risk crime would be to hijack the operation of a humanoid type of robot and program it to collect all items of value in a house and leave them in a neat pile on the driveway for drive-by collection.
From a marketing viewpoint, developing robotic products that encourage consumer empathy will positively influence the buy decision, the longevity of product retention and brand loyalty with like-for-like replacement at the product end of life. Empathy can be induced with factors ranging from visual appearance, emitted voice and sound effects, and behavioral traits. Human characteristics such as facial features and fingered hands, and a human voice encourages trust and reduce negative emotions.
The downside of creating empathy is the psychological impact of the device’s failure or behavior changes that compromise the consumer-device relationship. Implementing effective fail-safe modes can ensure any technical malfunction will put the device into a state that maintains the connection, potentially even evoke a sympathetic response. However, the greatest challenge is implementing secure systems that will prevent an attacker from gaining control over all or part of the robotic systems. An ability to change its behavior and exploit the emphatic relationship or create a situation that causes the owner distress or psychological harm creates novel risks. Emotional bonds can be abused to manipulate the owner.
Attack vectors can range from hijacking the robot to communicate with its owner, persuading them to do what the attacker wants. Or the attacker can coerce the owner by threatening to destroy the robot unless the owner does the attacker’s bidding. These risks are particularly significant where the robot has unsupervised interactions with children and adults with cognitive impairments. The robot may also interfere with the home environment to inflict a psychological attack on the owner. From scaring away pets, discouraging visits from family and friends, leaving threatening messages or creating hazardous situations, the options are limited only by the robot's performance capabilities.
The standard security controls for intelligent devices apply as the baseline for robotic security. Robust security should prevent all but the most determining and sophisticated attacks on each device and the networks that they connect with.
Additional controls will be required to manage the risks that robots bring into the consumer’s home. With all moving devices, these risks will encompass both safety and security. The threats will come from the security domain, but the consequences of any security vulnerabilities being exploited will be wider-ranging. The first step for any manufacturer is to develop robust risk identification and assessment processes with qualified and experienced practitioners. The greatest threats often come from the realization of risks that were never identified.
Security consequences will be centered around the theft of personal information or consequential effects. The compromised device may itself be exploited, or it may provide a gateway for attacking other network-connected devices using privilege escalation and lateral movement techniques. Safety consequences will be centered around the movement of a compromised machine, causing damage to property or physical harm to anyone in the vicinity. From starting fires to breaking bones, a thorough risk assessment is necessary to identify and mitigate all credible risks.
Strength in numbers
Another factor for manufacturers to consider is that a device cannot be viewed in isolation from its operating environment. As robotic devices become more widely adopted, households may well have ownership of multiple devices of different capabilities to perform a range of roles. A sophisticated and coordinated cybersecurity incident may result in lateral attacks on some or all the robotic devices connected to a network. Malicious control of multiple devices in collective action can result in significantly more damage or harm than each machine would be capable of achieving alone. This risk of common mode vulnerabilities will be increased where products use the same processing technology, standard protocols, and shared component suppliers. Off-the-shelf components used across manufacturers simplify and de-risk development processes but require dissimilar security controls to achieve sufficient technical independence to eliminate common-mode failures.
Home environments are sensitive to cyber-attacks due to the more considerable emotional impact on victims compared with attacks on commercial or governmental targets. The loss or damage to personal possessions or the long-term effects of identity theft can have a significant emotional impact that standard business controls such as insurance and replacement will not adequately compensate.
Traditionally, the development of smart devices for the consumer market has been driven by demand for low-cost products. This meant that security was often omitted in the race to be first to market. The fundamental principles of secure by design, secure out of the box and secured for life apply to all intelligent device development, especially for robots: complex mobile devices with the capabilities to cause harm.
Capable and intelligent robotic machines have significant future growth potential for the domestic consumer marketplace regarding sales of existing products and the development of new applications. However, robotic devices introduce novel safety and security risks that traditional manufacturers of intelligent machines may not have experienced. Consumer trust will be a crucial trait for those businesses that are successful in this field. Trust will be dependent on producing safe and secure products. Manufacturers need to address cybersecurity risks by integrating security and safety into the design and development process, safe and secure by design, out of the box and for life.