Fully-operational research robots are often left unsecured on the internet, making it possible for hackers to remotely command these machines to move around and even spy on camera feeds.
Researchers from Brown University in the US ran a worldwide scan in search of hosts running the Robot Operating System (ROS), a popular research robotics platform.
During the scans, which were performed over three different periods in 2017 and 2018, they found as many as 100 exposed systems running ROS, up to 19 of which were considered to be fully operational robots.
The researchers showed that it is possible to control these robots remotely - to spy on camera feeds and even send commands to move the robots around.
"Though a few unsecured robots might not seem like a critical issue, our study has shown that a number of research robots is accessible and controllable from the public internet," researchers said.
"It is likely these robots can be remotely actuated in ways that are dangerous to both the robot and the human operators," they said.
The findings are a reminder that everyone needs to be mindful of security in an increasingly connected digital world, researchers said.
ROS is the dominant platform used in research robotics.
It can be thought of like a robot's central nervous system. The platform aggregates all of a robot's various components - its cameras, sensors and actuators - and ties them to a central computing node.
Through an external computer and a network connection, an operator connects to the central node to give commands to the robot.
"ROS is a great tool for robotics research, but the designers explicitly left security to the end users," said Stefanie Tellex, a roboticist at Brown.
"It doesn't require any authentication to connect to a ROS master, which means if you're running ROS and it's not behind a firewall, anyone can connect to your robot," said Tellex.
Researchers set to find out how many robots running ROS might be out there and accessible via the internet. They performed the scan on three different occasions and found around 100 exposed systems running ROS.
One of the robots detected turned out to be in the lab of one of Tellexs collaborators, Siddhartha Srinivasa, a computer science professor at the University of Washington.
To find out if it were actually possible to take control of a robot remotely, Tellex contacted Srinivasa and asked his team to leave some of the robot's functions online for a test.
Tellex showed that she could access the robot's camera, move its neck and even make the robot speak using a ROS speech function.
That kind of access can be dangerous, researchers said.
"These robots can potentially be moved in ways endangers to the robot, as well as to the people operating the robot," Tellex said.
Securing these robots is not particularly difficult, researchers said.
They just need to be running behind a firewall or on a virtual private network. However, that requires users to be mindful of security, and the researchers hope this study will encourage people to be just that.