Researcher add salt to Pepper

Study shows that Pepper catastrophically bad safety precautions.
(c) Softbank Robotics

A recent study by Scandinavian researchers shows that “Pepper” from the manufacturer Softbank Robotics is frighteningly easy to hack. According to Alberto Giaretta from the Örebro University and his colleagues from the Technical University of Denmark, Pepper has many serious security flaws which include, among other things, an administration via an unsecured HTTP connection and a hard-to-change default password for root access.

Pepper is a human-shaped robot that is designed to be a genuine day-to-day companion. According to Softbank Robotics, “Pepper is the first humanoid robot capable of recognising the principal human emotions and adapting his behaviour to the mood of his interlocutor.” Therefore Peppers primary use in healtcare is to be used in nursing homes to entertain the elderly, doing puzzles with them, playing music and passing the time when the caregivers are busy with other tasks.

There had been isolated reports of Pepper hacks in the past. The current study, however, focused on the safety of the robot – and paints a devastating picture.

For example, Pepper offers users a simple web interface for administrative tasks. Access is granted via an unsecured HTTP instead of encrypted HTTPS connection, so attackers can easily steal information such as standard user credentials. Worse, Pepper uses a default password for root privileges, which is relatively difficult to change. In many cases, an attacker could easily gain full access to the robot after logging in as a normal user. It even wouldn’t matter, if a hacker was unable to steal the password for the default user – because a brute force attack works great, the stidy says.

However, the researcher had a bright spot for the manufacturer: According to them the problems should be easy to solve.

You can read the study “Adding Salt to Pepper: A Structured Security Assessment over a Humanoid Robot” here.

Report: Sascha Keutel