On Content Modiﬁcation Attacks in Bilateral Teleoperation Systems Yimeng Dong, Nirupam Gupta and Nikhil Chopra Abstract— In this paper, content modiﬁcation attacks on bilateral teleoperation system are studied. The vulnerability of bilateral teleoperation systems to content modiﬁcation attacks is initially studied, wherein the attacker can modify the states being exchanged between the master and the slave robot. Subsequently, a static malignant content modiﬁcation attack (MCoMA) is introduced that ensures that the robot joint velocities are rendered unstable. A safety mechanism is then introduced to safeguard against static MCoMA. Finally, a dynamic subterfuge MCoMA which can bypass the safety mechanism is proposed. The efﬁcacy of proposed attacks is studied using simulation examples. I. INTRODUCTION Bilateral teleoperation systems (BTOS) extend the human capability to manipulate objects with the help of robotic ma- nipulators and communication networks (Fig. 1). Such sys- tems can be used for various tasks, like handling hazardous materials [1], space and underwater exploration [2] [3], and telesurgery [4], etc. One example of BTOS is shown in Fig. 1. On being manipulated by a human operator, the state of the master robot is transmitted to the slave robot through a communication channel (wired or wireless). The slave robot is coupled to the master robot state through an appropriate controller which then guides the slave robot to complete a desired task in the remote environment. Simultaneously, the state of the slave robot is communicated to the master robot and through the master controller bilateral coupling is established between the two robots. Slave Master Human operator Environment ( ! q m T , q m T ) T ( ! q s T , q s T ) T ( ! " q s T , " q s T ) T ( ! " q m T , " q m T ) T Fig. 1. Demonstration of BTOS structure. With advancement in Internet technology, it has become a popular choice for pairing the robots with Internet in any BTOS. However, data transfer through the Internet is not very reliable, as frequent data losses and delays are encountered [5]. For the past few decades, a lot of research has been conducted to overcome these issues and many of them have yielded fairly successful results [6]. This work was partially supported by the National Science Foundation under grant ECCS1232127. Yimeng Dong, Nirupam Gupta and Nikhil Chopra are with the De- partment of Mechanical Engineering, University of Maryland, College Park, MD, 20740, USA ymdong@umd.edu nirupam@umd.edu nchopra@umd.edu In recent years, the importance of guaranteeing cyber security of cyber physical system (CPS) is being increas- ingly realized. Since most of the CPS are safety critical: their failure can damage the critical physical system being controlled and potentially harm people using it. The exam- ples of cyber attack are Stuxnet malware sabotaging Iran’s nuclear infrastructure [7], water SCADA system attack [8] and power transmission network attack [9]. These incidents provided a boost to research work on CPS security. Different attacks have been analyzed in various CPS security studies. [10] discussed the consequences of the denial-of-service attack where the attacker destroys the data availability in system, whereas [8] focused on the deceptive attack where the attacker intentionally modiﬁes the measurements and control commands of the original system. Various approaches have been adopted. In [11], a quantitative risk management approach was adopted for studying the security of networked control systems whereas game theoretical methods were utilized in [12] and [13]. Similar to other CPS, due to the open nature of communi- cation channel, the BTOS is also vulnerable to cyber attacks. It is easy for malicious entities (attacker) to jam, disrupt, or even take over the communication between master and the slave robots. These attackers can induce physical damages to the BTOS, i.e. causing harm to the robots, humans and the environment involved. This is highly unwanted in any bilateral teleoperation application. The security threats in surgical telerobotics were identiﬁed by [14], and some experimental analysis of security threats on the RAVEN surgical robot are presented in [15] [16]. In these works, the cyber attacks on BTOS are classiﬁed as packets reordering, intentional delays, intentional drops and content modiﬁcations, etc. However, no rigorous theoretical analysis of the attack policies and the prevention/mitigation solutions are discussed. Some other works focus on the secure communication protocol design for telesurgery [17] [18] without anlayzing the impact of the attacks on the physical system. Cryptographic methods like ‘message authentication codes (MACs)’ does provide integrity checks for messages being exchanged between agents in the network. But, every secure MAC requires a key and secrecy of this key is critical for securing the messages against any modiﬁcation en route. Unless both agents at either-ends of the communication link share the same key, implementing MAC is not feasible. Secret-key based integrity checks like MACs are susceptible to ‘insider attacks [23]’ and so, in the work presented in this paper we investigate the repercussions of such ‘insider attacks’ in context of BTOS.