Our CVE Story: From Robot Security Research to Managing Robot Vulnerabilities

Guest author Endika Gil-Uriarte is Chief Strategy Officer (CSO) at Alias Robotics, and Alias Robotics is a CVE Numbering Authority (CNA).

Robots are becoming mainstream. We see robots every day in our daily lives. The systems that used to be found only in industrial environments are rapidly evolving to professional and consumer-related environments. The latest industrial robotics technologies have evolved faster than ever, and cybersecurity has not been at the core. The advent of the Internet of Things (IoT), industry 4.0, and its connectivity have changed the game forever.

Alias Robotics is a robot cybersecurity company founded in 2018. The company is composed of a team of robotics and cybersecurity experts who created RIS, the Robot Immune System. RIS is an Endpoint Protection Platform that protects robots against malware.

Alias Robotics became a CVE Numbering Authority (CNA) in February 2020. Since then, more than 30 CVE IDs have been issued and referenced, and all of them affect robots or robotic components. Most of the reported vulnerabilities were found during our internal security research. Robot security is a relatively new niche of cybersecurity; therefore, Alias Robotics collaborates with different robot cybersecurity researchers on discovering, providing triage, and certifying vulnerabilities. We also have an email address for those security researchers who wish to send us their findings. We want to encourage a robot security community that runs away from the paradigm of “security by obscurity.”

In case there is a novel robot vulnerability, we differentiate between our discoveries and those reported to us by researchers. In the first case, Alias Robotics is continuously looking for robot security vulnerabilities in client-related projects, and most of our work must remain private due to the confidentiality we owe our clients.

If our team finds a vulnerability on a non-confidential project, we immediately report it (via a secure channel) to the robot manufacturer so they can fix it. When the manufacturer responds and acknowledges it, we typically make it public after 90 days in the Robot Vulnerability Database (RVD), aiming for full transparency in the security process and also incentivizing prompt fixing of issues. Sadly, this is not always the case.

When a third-party researcher reports a vulnerability to us, we assign a CVE ID, and the issue is triaged. Once our team verifies the report and ensures its reliability and reproducibility, we publish the CVE Record for the vulnerability.

At Alias Robotics, we are now working on opening new collaborations to report more vulnerabilities and work on solving them.