Underneath the Surface : Threat modeling and penetration testing of a submarine robot

Sammanfattning: Connected devices have become an integral part of life in modern society. In the industry, several tasks have been automatized and are now performed by robots, a development that is called Industry 4.0. Robotics are breaking new ground, and autonomous underwater vehicles (AUVs) will enable the exploration and exploitation of areas previously inaccessible. The underwater robots are therefore expected to be deployed at scale in our seas for commercial and military purposes. This will make them a target for malicious actors to exploit security issues in the AUVs. It has previously been reported that robot developers often down-prioritize security and that leading robotics frameworks have severe vulnerabilities. This thesis aims to assess the security of a modern AUV, SAM, by the Swedish Maritime Robotics Center. The goal was to determine if it is vulnerable to attacks common in robots and connected vehicles and to find out what cyber threats exist to underwater vehicles. The method in this project was ethical hacking through a penetration test. It included creating a threat model for the robot and vulnerability analysis. Several vulnerabilities were selected for exploitation to determine and demonstrate how an attacker could abuse them. The result showed that several vulnerabilities were exploitable, and SAM was considered insecure. The project's direct impact is that it provides SMaRC with advice on how to improve the security of its vehicle and the security practices in its development team. Underwater robotics is still a novel field, and there needs to be more research published on threats to robots. As a result, the threat model and vulnerability analysis can be a good guideline for another security researcher pentesting an AUV or a developer team looking to improve the security of their robots.