ROS Internet Mapping Project

Overview

The ROS Internet Mapping project is a research work in the Computer Science Department at Brown University to identify instances of Robot Operating System (ROS) available on the public Internet. As robots become more prevalent in our everyday lives, security of these platforms is becoming increasingly important.

ROS is a widely-used research robotics platform: it provides a publish-subscribe service to distribute data among nodes in a system. Nodes publish or subscribe to topics by advertising or querying a central master node to send or receive data. Like many research platforms, ROS was not designed for security: the ROS master node trusts all nodes that connect to it. The goal of this project is to identify exposed ROS instances and promote improved security in robotics research platforms.

We have conducted several, low-rate scans of the IPv4 space for ROS masters since October 2017 and found several instances of exposed ROS nodes, including both simulated devices and robots.

With permission of its owner, we also conducted a proof-of-concept "takeover" of one of the robots we found, to demonstrate that a robot with an exposed ROS master can be accessed and, potentially, controlled remotely. In our test, we were able to read data from the robot's sensors, and remotely control its actuators. A video of the demonstration is available here.

Further information about our findings is available in a technical report, available here.


Frequently Asked Questions

Is ROS broken?

No. Security is not a major part of ROS’ design; instead it provides a message-passing infrastructure between services or devices. As such, care must be taken to ensure that unauthorized parties cannot access a ROS host.

For users looking for alternatives to provide security, we recommend investigating the following platforms:

Does this mean there are attacks on ROS?

At the time of this writing, we are not aware of any known exploits on ROS, nor have we observed any attacks in the wild. However, as ROS does not provide any access controls, an open ROS master could leak topic data to a user that connects to it, potentially allowing an attacker to read robot sensor data or send actuation commands to the robot. Our results provide evidence that a number of robots expose this access on the public internet.

I am a ROS user, how can I protect my system?

I run a network with ROS instances, how can I protect my network?


About Us

Members of the ROS Internet Mapping project include Nicholas DeMarinis, Stefanie Tellex, Rodrigo Fonseca, and George Konidaris.

Please contact our mailing list scan11311@lists.cs.brown.edu with questions or comments.


Brown University Logo

This work is supported by the Systems Group and the Humans to Robots Laboratory of the Computer Science Department at Brown University.