ROS Resources: Documentation | Support | Discussion Forum | Index | Service Status | ros @ Robotics Stack Exchange
Ask Your Question
6

Security Vulnerabilities in ROS

asked 2013-12-04 05:52:06 -0500

GreatSuccess gravatar image

As far as I'm aware, when a ROS master starts up on a machine, it opens a port for any network machine to attach to. This means that any machine with a route to the ROS machine can freely ask that ROS master for anything it has control over, for example, setting up ROSTCP/UDP connections with nodes running under that master. From an exploiter's point of view, this means that one has access to many avenues of exploitation on a machine running ROS. In the worst case, if a node running with sufficient privilege can potentially allow for an exploiter to run arbitrary code on the ROS machine with administrative privileges. Even on your average case, an exploiter can ask to connect to a topic such as a velocity command on a ROS system connected to mechanical hardware and actually manipulate hardware.

Are there any security measures in place for preventing this kind of situation? If not, are there any plans for adding measures, for example: credentials, to future distros of ROS?

edit retag flag offensive close merge delete
add a comment

4 Answers

Sort by ยป oldest newest most voted
3

answered 2013-12-04 05:55:22 -0500

dornhege gravatar image

Your observations are correct. There are no authentication mechanisms that I know of.

The usual answer/solution is: Put it in a VPN.

edit flag offensive delete link more

Comments

A VPN would be fine for a single machine, but this approach could get clunky for weaker computers (i.e. running ROS on a RasberryPi, Beagleboard, Panda etc). This could also be troublesome for multi-robot systems.

GreatSuccess gravatar image GreatSuccess  ( 2013-12-04 06:40:22 -0500 )edit
add a comment
2

answered 2016-10-15 00:02:44 -0500

ruffsl gravatar image

I know this is an old question, but I'm going to respond here for visibility.
Please check out the new SROS project for new developments to secure ROS.
You can read more about the announcement here:
http://discourse.ros.org/t/announcing-sros-security-enhancements-for-ros/536

edit flag offensive delete link more
add a comment
2

answered 2015-01-22 14:22:29 -0500

DavidV gravatar image

A VPN, which is tunneled encrypted traffic, is a good start. But, I'm concerned that users may believe that this provides all the needed cyber security for the robotic system. There are numerous other network security issues with which to contend. For instance, the VPN implementation itself may have vulnerabilities. Another major issue is that if a single node in a network of platforms connected by VPN is compromised, then that platform can serve as the conduit for an attacker to jump from one platform to the next. All within the security of the provided VPN.

edit flag offensive delete link more
add a comment
0

answered 2016-10-18 02:40:21 -0500

Natty gravatar image

Thanks Ruffsl,

Could you please provide time of availability in production-grade?

Thanks!

edit flag offensive delete link more

Comments

It mainly depends on the level of community participation. Morgan and myself developed the current state of SROS in about 3 months, time spent deliberating experimental implementations, exploring features. Now comes the more structured steps; standardising a REP, unit testing, rosccp support etc.

ruffsl gravatar image ruffsl  ( 2016-10-21 18:58:16 -0500 )edit
add a comment

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2013-12-04 05:52:06 -0500

Seen: 3,244 times

Last updated: Oct 15 '16

Related questions

Ros::ok() return true with dead roscore in node started as root

[clarification] Packages built during potential compromise in 2019

Possible to communicate with new master without process restart?

rospy Reaction to ROSCore Shutdown

Inform move_base about blocked plan

"get" /run_id param into an arg with roslaunch

if ROS master is running in another machine, does it get all topics stream?

rosmaster crash with duplicated service

abnormal exited rosnode still be seen on Master?

ROS Topics Data Communication over separate networks

ROS Answers is licensed under Creative Commons Attribution 3.0 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2