Cybersecurity, or simply put the protection of the digital domain, has been very high on the global risk agenda for the past couple of years. This is especially true since 2019 when the world’s pandemic status came into being. Cybercrime saw a sharp spike particularly since that year. One of the most historic and devastating cyber-attacks known to man also took place in this timeframe. The major difference between the last decade and now, with regards to cybersecurity, is that cyber-attacks are now regarded as the biggest threat to the economy. The connected economy has since seen everything in a wide gamut of cybersecurity incidents including; major breaches, politically motivated attacks, and a wide array of software vulnerabilities. Cybercrime has also managed to hit critical infrastructures and even parts of the industry, like heavy industry -which was not an industry previously known for being vulnerable to cyber-incidents.
As the world digitally transforms and society is making the great leap towards artificial intelligence and automation, vulnerabilities are being spotted in the most innovative sectors, such as critical manufacturing robotics. This time, reports confirm that one of the world’s leading industrial robot and factory automation giants Kuka, based in Germany, is suffering from software vulnerabilities.
The Kuka KR C4 Controller
According to the official Kuka website, the Kuka KR C4 is a “revolutionary” control system (controller). It is a controller that controls the innovative automated robotics systems used in industries and factories. According to the official Kuka website, “The KR C4 concept is revolutionary. For the first time, Robot and Motion Control are seamlessly and interactively integrated with control processes for PLC, CNC, and Safety.” Kuka claims that this controller device reduces costs while increasing flexibility and efficiency in industrial applications.
The Kuka KR C4 Product Vulnerability
The software vulnerability in Kuka’s KR C4 product was reported by CISA (the U.S. federal Cybersecurity & Infrastructure Security Agency.) According to the official reports Chen Jie, who works for NSFOCUS threat intelligence, first reported the issue to CISA. The issue is a software vulnerability in the Kuka KR C4 product. According to the official CISA report ICS Advisory (ICSA-21-208-01) which was released on July 27th, 2001 the executive summary of the report entails that there is a software vulnerability in the KR C4 software. Specifically, the affected versions are “all versions prior to 8.7” as well as all versions of KSS. The vulnerability is due to a flaw in the use of hard-coded credentials. Due to there being hard-coded credentials, an attacker can gain full access (read/write/delete) to the sensitive folders in the system.
The Technical Details
The executive summary goes into the risk analysis of this vulnerability: The CVSS score (Common Vulnerability Scoring System) for this vulnerability has been marked down as 9.8 indicating that this is a critical security flaw. There are two CVE ID codes for this flaw. They are CVE-2021-33016 and CVE-2021-33014. Further technical details reveal that successful exploitation of this flaw could result in unauthorized (remote) access to sensitive information as well as access to the core-shell (VXWorks Shell). This means that a remote (external) attacker could potentially gain full access to the controller system.
The Recommended Safety Measures
There is no traditional patch for customers or owners of these machines. They would need to change their passwords manually. Another complication that arises is that older versions do not support a password change. KSS version 8.2 and below do not support the password change that is required. For the earlier versions, users and customers should contact Kuka assistance for additional assistance on the matter. As for users and customers that use KSS 8.3 and above, they must change their passwords manually.
CISA Safety Recommendations
According to the official CISA release report, users need to “take defensive measures to minimize the risk of exploitation of these vulnerabilities.” Particularly, users should; minimize network exposure, isolate control system networks and remote devices, as well as utilize VPNs (Virtual Private Networks) until they mitigate the issue with the steps in the above section.