Posts
I’m watching the second season of “Cybervillage” (I recommend you watch the series, I lik…
November 9, 2025 at 5:10 PM•Max Knyazev is typing…Telegram mirror
I'm watching the second season
"Cybervillages"
(
I recommend you watch the series
,
I like it
) and reached the fourth episode, in which Izhevsk Dynamics massively sends its cleaning robots for recycling. The main character calls his hacker dad (
jokes about cybergrandfather
), he and his friends from the sanatorium “hack” the company and cancel the protocol - everything is compressed into 25 minutes of comedy and a cheerful soundtrack. There, of course, they used a bunch of different narrow terms like spoofing, brute force and so on, but this was so that it looked authentic (
at least the terms they used were real, although not particularly appropriate
)
But let's look at how such hacks happen in reality (
strictly for research and educational purposes
🤝
In fact, such attacks take place in several stages. This is the same classic attack model that IoT and robotics researchers have been describing for years. So let's see what it looks like ( exclusively on the top ), and how to protect yourself from it
The reconnaissance phase always occurs first ( OSINT including ). Before starting hacking, attackers collect information: what models of robots are used; what protocols are used; what open ports and APIs are visible from the outside; what DNS records and certificates the company has; are there any public repositories ( where did they forget to hide the tokens? ). Reconnaissance provides an understanding of how to launch an attack in general ( through what )
💀
Next is initial access. These are the most commonplace things: standard passwords, unupdated firmware, vulnerabilities in the API or mobile application, token leaks, insecure OTA process without a signature. Historically, it is precisely such gaps ( what a word ) allowed Mirai and dozens of other botnets to exist in principle
After access you need to gain a foothold. The attacker installs a persistent agent or steals accounts, searches for neighboring devices on the same network or in the same cloud account, and elevates the rights. Architecture is already important here: if robots and administrative services live on the same plane of the network, then jumping from one machine to another is easier than it seems. OT/SCADA examples show that the combination of local presence + target logic turns an information incident into a physical problem
🧐
Then C2 is the command and control infrastructure. It is convenient to manage a fleet of hundreds of devices through a centralized channel ( and not SSH for each robot ), encrypted hidden or masked traffic, distributed proxies
And in the end, after all this, we organize the show itself. When we have essentially everything ready. Most often through legitimate device functions. This is the main point: the attacker usually does not invent new mechanisms, but uses existing functionality. When we have already gained access, established ourselves, and prepared everything for management, send the necessary commands, and that’s it. This is the final point of attack
🫡
What vulnerabilities are most common in studies and case studies? Firmware without signature verification, weak passwords and lack of MFA, insecure mobile applications and APIs ( token leaks ), lack of network segmentation, patching delays and vulnerabilities in third-party libraries
Accordingly, it is obvious that we protect ourselves through network segmentation and the principle of least privilege; checking the signature and integrity of firmware; secure OTA and secure channels; MFA and key rotation for cloud and admin accounts; telemetry anomaly monitoring and behavioral IDS for devices; ready-made incident response plans and “safe modes” that can be enabled centrally and that minimize physical harm
🧠
And yes, if you want to properly protect a fleet of robots, think about architecture. Architectural security is cheaper than fixing everything after a massive incident
🥂
P.S. Second post of the weekend. Yes I'm on a roll
#information_security
#internet_things
Open original post on TelegramBut let's look at how such hacks happen in reality (
In fact, such attacks take place in several stages. This is the same classic attack model that IoT and robotics researchers have been describing for years. So let's see what it looks like ( exclusively on the top ), and how to protect yourself from it
The reconnaissance phase always occurs first ( OSINT including ). Before starting hacking, attackers collect information: what models of robots are used; what protocols are used; what open ports and APIs are visible from the outside; what DNS records and certificates the company has; are there any public repositories ( where did they forget to hide the tokens? ). Reconnaissance provides an understanding of how to launch an attack in general ( through what )
Next is initial access. These are the most commonplace things: standard passwords, unupdated firmware, vulnerabilities in the API or mobile application, token leaks, insecure OTA process without a signature. Historically, it is precisely such gaps ( what a word ) allowed Mirai and dozens of other botnets to exist in principle
After access you need to gain a foothold. The attacker installs a persistent agent or steals accounts, searches for neighboring devices on the same network or in the same cloud account, and elevates the rights. Architecture is already important here: if robots and administrative services live on the same plane of the network, then jumping from one machine to another is easier than it seems. OT/SCADA examples show that the combination of local presence + target logic turns an information incident into a physical problem
Then C2 is the command and control infrastructure. It is convenient to manage a fleet of hundreds of devices through a centralized channel ( and not SSH for each robot ), encrypted hidden or masked traffic, distributed proxies
And in the end, after all this, we organize the show itself. When we have essentially everything ready. Most often through legitimate device functions. This is the main point: the attacker usually does not invent new mechanisms, but uses existing functionality. When we have already gained access, established ourselves, and prepared everything for management, send the necessary commands, and that’s it. This is the final point of attack
What vulnerabilities are most common in studies and case studies? Firmware without signature verification, weak passwords and lack of MFA, insecure mobile applications and APIs ( token leaks ), lack of network segmentation, patching delays and vulnerabilities in third-party libraries
Accordingly, it is obvious that we protect ourselves through network segmentation and the principle of least privilege; checking the signature and integrity of firmware; secure OTA and secure channels; MFA and key rotation for cloud and admin accounts; telemetry anomaly monitoring and behavioral IDS for devices; ready-made incident response plans and “safe modes” that can be enabled centrally and that minimize physical harm
And yes, if you want to properly protect a fleet of robots, think about architecture. Architectural security is cheaper than fixing everything after a massive incident
P.S. Second post of the weekend. Yes I'm on a roll
#information_security
#internet_things
Discussion
Comments
Comments are available only to confirmed email subscribers. No separate registration or password is required: a magic link opens a comment session.
Join the discussion
Enter the same email that you already used for your site subscription. We will send you a magic link to open comments on this device.
There are no approved comments here yet.