Articles Download Safety & Security Forum myUR Go to Main Site
 

Secure setup of UR cobots

This list proposes actions to reduce cybersecurity risks.

Last modified on Oct 09, 2024

PolyScope 5.10.0, and later versions, offers several new, easy-to-implement, security settings you can use to effectively harden your system.

The proposed actions are:

  1. Change default admin access credentials
  2. Disable “Magic files” when not used
  3. Restrict inbound connections
  4. Disable services that are not used
  5. Disable SSH access if not used
  6. Use key-based authentication
  7. Use local port forwarding to tunnel unencrypted connections
  8. Keep the robot updated with latest software

 

Change default admin access credentials

It is important to change the default password in any newly installed equipment. The default passwords of specific equipment models can be easily obtained via web search and used to gain full administrative access to the device. Choose a strong password, write it down and store it securely.

There is no built-in password recovery mechanism in PolyScope.

To change the default admin password:

  1. In the Header, tap the Hamburger menu icon and select Settings.
  2. Under Password, tap Admin.
  3. Under Current password, enter the default password (you can find it in the manual)
  4. Under New password, create your new password.
  5. Under Confirm new password, repeat your new password.
  6. Tap Apply to confirm your password change.

 

Disable “Magic Files” when not used

A “Magic File” is a script on a USB drive that runs automatically when the USB is inserted into the USB port. Magic Files have unrestricted privileges to make system changes. Disable the functionality if it is not actively used. If used sporadically, you can choose to enable it only as required.

To enable and disable Magic Files:

  1. In the Header, tap the Hamburger menu and select Settings.
  2. Under Security, select General.
  3. Enter your Admin password.
  4. Enable or disable Run Magic Files.

 

Restrict inbound connections

To reduce the robot’s exposure to other devices in the network, you can restrict inbound access, to only allow specific hosts, and/or specific ports. This minimizes risk of unauthorized access by other devices or computers.

Configure Restrict inbound network access to this subnet to make sure network connections, originating from an IP-address outside the indicated subnet, are refused.

For example:

  • 192.168.1.0/24 only allows access from hosts in range of 192.168.1.0 – 192.168.1.255. The /24 appended to IP address specifies the subnet range (0-255) in CIDR notation.
  • 192.168.1.96 only allows inbound access from one host: 192.168.1.96

Leave the field blank to disable subnet restriction.

Configure Disable inbound access to additional interfaces (by port) to make sure any inbound connection to the designated ports are refused.

Examples:

  • Use 0-65535 to block all ports. For examples, you can use 564 to block port 564.

  • Use ranges and commas. For example, you can use 2318-3412,22,56-67 to block specific ports and ranges of ports.

Leave the field blank to avoid blocking ports.

Any enabled service, in the Services tab, with a corresponding open port, takes precedence over port blocking.

The following section describes how to disable unused services.

URCaps can require particular network interfaces to be open in order to function. Consult your URCaps vendor/s, if any of your URCaps require particular network interfaces (ports/services) to be open.

To configure Inbound Connections:

  1. In the Header, tap the Hamburger menu and select Settings.
  2. Under Security, select General.
  3. Enter your Admin password.
  4. Enter subnet restrictions under Restrict inbound network access to a specific subnet.
  5. Enter the interfaces to be closed in Disable inbound access to additional interfaces (by port).

 

Disable services that are not used

You can disable unused services running in the system, as open ports increase the exposure of the robot to other devices in the network. The Services menu under the Security tab lists standard services running on the robot. You can enable or disable each service. Disable the unused services. You can always enable them again if needed.

To enable and disable a Service:

  1. In the Header, tap the Hamburger menu and select Settings.
  2. Under Security, select Services.
  3. Enter your Admin password.
  4. In the list, select an option and tap Enable, or tap Disable.

 

Disable SSH access if not used

Secure Shell (SSH) establishes encrypted and authenticated connection to the robot and allows remote administration of the system. You can enable or disable SSH, depending on how often is it used. You can enable it again as needed.

To enable and disable SSH access:

  1. In the Header, tap the Hamburger menu and select Settings.
  2. Under Security, select Secure Shell.
  3. Enter your Admin password.
  4. Configure the Secure Shell Settings – select or deselect Enable SSH Access.

 

use key-based authentication

Key-based authentication is a stronger authentication mechanism than password authentication. Allowing only key-based authentication (choosing “Key Based” option in the Authentication menu) strengthens the security of the SSH interface.

To switch to key-based authentication:

  1. Generate private and public key pair on the device from which you access the robot.
  2. Transfer the public key to the robot on a USB drive.
  3. Add the key through Manage Authorized Keys menu.
  4. Change authentication option to Key Based in the Secure Shell menu.

Always store your private key securely, and only transfer the public key.

 

Use local port forwarding

Port forwarding/tunnelling is a recommended technique for wrapping open, unencrypted interfaces (eg. the Dashboard Server) in a secure, encrypted tunnel requiring authentication. To enable local port forwarding, check the Allow Port Forwarding box in Secure Shell Settings. You can then setup authenticated and encrypted connections to the interfaces of the robot.

Examples of interfaces that can use port forwarding:

  • The Dashboard Server
  • The Primary/Secondary/Realtime Client Interfaces

Port forwarding is only available in remote control mode.

To set up connections using local port forwarding, with Dashboard Server as an example:

  1. Open two terminal sessions on your client PC.
  2. In the first terminal session, enter: ssh -N -L 12345:localhost:29999 root@<robot-IP-address> and then enter your password.
  3. In the second terminal session, enter: telnet localhost 12345 to connect to Dashboard Server.

 

Keep the robot updated with latest software

Security patches and bugfixes are continuously included in new software releases. Keep your robot/s updated with the latest software to have the latest security patches applied.

To update the robot’s software:

  1. Download latest software package from official Universal Robots website.
  2. In the Header, tap the Hamburger menu icon and select Settings.
  3. Under System, tap Update.
  4. Insert a USB drive and tap Search to list valid update files.
  5. In the list of valid update files, select desired version and tap Update to install.
  6. Verify your programs after the update.