1. Hacking Robotics
Kensei Demura @ken_demu

2. Robot Engineer/Researcher/Creator

3. NII (National Institute of Informatics)
SIGVerse Project Developer

4. D.K.T. Robot School President

5. Background
IPA SecurityCamp 2014
● Raspberry pi IDS Development
https://github.com/kendemu/embeddids
● Furniture Injection

6. The most popular Robot Middleware/OS

7. Robot Operating System
・ visualization
・ IPC
・ Package management
・ Multithread/Process/Clustering
・ Image/PointCloud Processing
・ Robot Modeling / Simulation
・ Cross-platform
・ Navigation
・ Program Scalability

8. Question
Is ROS Secure?

9. ROS Technical Overview
・ Message : XML-RPC(HTTP-based)
・ runs through TCP usually
・ The namesystem of process called “Master”
manages the services
http://wiki.ros.org/ROS/Technical%20Overview

10. 1. a service register a Name to the Master
2. a service query other services through Master
3. a service establishes TCP/IP connection with other
services
4. the services exchange the connection header
5. a service require the serialized message
6. the other service respond with the serialized message
Connection of ROS
Node(Process/Service)

11. How about encryption ？
No data

12. Packet Sniffing

13. Special thanks

14. Background of meeting @jitomesky
Repairing the Intel Edison which I had made a
fatal error on the Operating System side

15. Test Environment:
Gazebo Simulator with Turtlebot
http://qiita.com/kendemu/items/f915c7c2498b04e097cc

16. Node Network

17. Result:
XML-RPC Packet is not encrypted

18. ROS Connection I/O Graph(Red)

19. ROS XML-RPC Packet length

20. Test environment ２ :Roomba

21. Node Network

22. Follow TCP Stream

23. Motor Commands are not
encrypted

24. Negative effects
1. Remote Control is possible just by
spoofing packets
2. How to spoof packets : TCP Spoofing
3. The robots nowadays connect to the
Internet → critical problem for robots

25. Solution
SSH,IPSec,SLL/TLS Encryption
Problem ： Slow for Robot Control
→Needs of fast encryption
※Using IPSec,VPN make network connection more
than 6 times slower
http://d.hatena.ne.jp/nori_no/20100919/1284875253
※ROS XML-RPC Packet length is about
400~600 bytes(496±99.8 bytes)
(by my calculation & datasets)

26. Conclusion
The Network Security
of ROS is weak

27. Pepper Reverse
Engineering(Legal)

28. Pepper : Cross Development
But wanted to do in native
environment
Normally, just the GUI Software above
Pepper OS is NaoQiOS, customized Gentoo※

29. Nmapepper:
Pepper port scan
ftp, ssh, http, teradataordbms, hydap
service open

30. Doing SSH in Pepper was very
slow....
Fortunately, discovered MicroUSB
and Ethernet port!

31. Connect MicroUSB to Pepper

32. Login Pepper with tty
gcc/g++, openni,opencv,gdb,wget,pulseaudio is usable
No X environment, package manager

33. Implementing git
No Make & configure tools in pepper

34. Conclusion
Pepper is programmable in native environment
Pepper is customizable

35. Implementing git
No Make & configure tools in pepper