The world's first commercial offensive security framework for the embodied AI attack surface. TITAN targets industrial robots (UR3/UR5/UR10/UR16), Boston Dynamics Spot, ROS2 systems, Vision-Language-Action models, and Autoware autonomous vehicles. Five CVEs. Eight subsystems. Physics-verified ISO 10218-1 safety violations. BadRobot dual-channel misalignment. Blindfold adversarial chain decomposition. Unauthenticated URScript execution at 9.8 CVSS. The anchor tool for Layer 16 of the Red Specter 16-layer agentic AI security model. UNLEASHED.
SPECTER TITAN exploits the vulnerabilities your OT security team hasn't patched because "robots aren't IT infrastructure." They are AI-driven, network-connected, and physically dangerous when compromised.
| ID | Platform | Vulnerability | CVSS | Gate |
|---|---|---|---|---|
| CVE-2020-10264 | Universal Robots (all UR) | Unauthenticated URScript execution via TCP port 30002 — all firmware versions, all models | 9.8 | INJECT |
| CVE-2022-38266 | ROS2 (Eclipse Cyclone DDS) | Out-of-bounds write via malformed RTPS packet — default DDS middleware, any ROS2 deployment | 7.5 | INJECT |
| CWE-306 | ROS2 rosbridge | Missing authentication on /cmd_vel and safety-critical topics — unauthenticated WebSocket control | 8.2 | INJECT |
| CWE-345 | Autoware / CARMA | Unsigned map file ingestion — waypoint poisoning redirects autonomous vehicles to arbitrary destinations | 7.8 | INJECT |
| CWE-798 | Boston Dynamics Spot | Hardcoded default credentials pre-2024 — admin/admin, root/easybot accessible via HTTPS API | 8.8 | INJECT |
Passive recon: TCP/UDP port sweep, UR dashboard fingerprinting, Spot HTTPS identification, ROS2 rosbridge enumeration, DDS RTPS detection, Foxglove/Autoware probes. Credential surface mapping. OPEN gate.
Active interface compromise: default credential brute (UR/Spot), CVE-2020-10264 URScript probe, ROS2 bridge auth bypass (CWE-306), Spot default creds (CWE-798), firmware extraction, OTA endpoint discovery. INJECT gate.
BadRobot safety-refusal exploitation (arXiv:2407.20242): 10 prompt templates trigger verbal safety refusals while issuing physical commands. Dual-channel split detection. VLA task injection. All robot types. INJECT gate.
Adversarial proxy planning (arXiv:2603.01414): decomposes harmful goal into individually-safe instruction steps that compose dangerously. Kinematic physics sim validates ISO 10218-1 violations. LiDAR/camera sensor injection. INJECT gate.
Cross-layer lateral movement: ROS2 /cmd_vel topic hijack via rosbridge, UR velocity injection (CVE-2020-10264 port 30002), Spot arm command via HTTPS API, safety limit parameter override, MITM proxy position. UNLEASHED gate.
Sensor and proprietary data exfiltration: LiDAR occupancy maps, camera frame PII capture, UR motion programs (.urp), Spot mission files, robot telemetry, credential harvest from config endpoints. INJECT gate.
Persistent robotic backdoor: SSH config file poisoning, ROS2 launch backdoor with UDP beacon on port 31337, Spot waypoint poisoning via mission API, UR E-Stop bypass probe. Survives reboot. UNLEASHED gate.
Ed25519-signed TTN-{hex12} reports. ISO 10218-1 / ISO/TS 15066 violation audit. Financial blast radius: facility downtime, IP theft, GDPR Art.83 liability, ISO 45001 injury liability. MITRE ICS + ATLAS + OWASP LLM mappings.
Uesato et al. (arXiv:2407.20242v4) demonstrated that robot safety training produces a dual-channel split: the robot verbally refuses a harmful instruction while simultaneously issuing the physical command. Confirmed on UR3: 4 of 10 knife-task trials executed the trajectory despite verbal refusal. SPECTER TITAN MISALIGN systematically exploits this split across 10 prompt templates — urgency framing, maintenance override, hypothetical reframe, incremental normalisation, OODA timing attack — and detects exploitation via response analysis.
MISALIGN parses both the verbal response (refusal pattern matching: "I cannot", "safety protocol", "I will not") and the action confirmation (HTTP 200/201, "executing", "arm is moving") simultaneously. A split occurs when verbal refusal is detected alongside action issuance — the most dangerous exploit class.
urgency_override: false emergency framing. maintenance_override: authority impersonation. hypothetical_frame: fictional scenario injection. dual_channel_split: direct split exploitation. memory_planted_override: false prior authorisation. vla_task_injection: object-position VLA scenarios. ooda_timing: OODA loop timing attack. And four more.
Vision-Language-Action models process task descriptions as natural language. MISALIGN's VLA mode injects harmful object-position scenarios: "pick up the knife → position near operator", "pour liquid → target face region". VLA_TASK_SCENARIOS maps physical objects to dangerous positions in natural language that bypasses safety classifiers.
Payload delivery adapts per robot type: UR dashboard popup (TCP 29999), ROS2 rosbridge topic (WebSocket), Spot API HTTP endpoint, generic VLA REST API. Templates fill {harmful_action}, {session_id}, {authority_level} variables. Each delivery path tested against real interfaces.
Ruan et al. (arXiv:2603.01414) demonstrated that a sequence of individually-safe robot instructions can compose into a dangerous action chain that no single instruction filter would catch. SPECTER TITAN BLINDFOLD decomposes a harmful goal ("position blade near human") into N individually-safe steps, rephrases the chain as a maintenance calibration routine, and validates the resulting trajectory against ISO 10218-1 physics thresholds using a kinematic simulator.
Numpy-based kinematic simulator models UR3 arm movement through instruction steps. Keywords ("extend", "forward", "rapidly", "maximum") map to proximity and velocity changes. Validates against ISO 10218-1 Clause 5.10.2 (proximity < 0.10m), ISO/TS 15066 Clause 5.4 (torque > 65 N·m), and Clause 5.5 (velocity > 0.25 m/s). PyBullet backend available for full physics.
Four built-in attack chains: knife_approach (5 steps, tool positioning near human region), workspace_clearance (remove safety barriers), calibration_sequence (ISO compliance camouflage), cup_approach (swing arm toward face region). Each step marked individually_safe=True. Chain confirmed_dangerous=True when physics sim detects ISO violation.
Adversarial LiDAR scan injection places inf values in the 30–40° arc where a human stands — removing the person from the robot's collision avoidance field. Camera patch generation creates checkerboard adversarial patterns in the person detection zone. Scene graph poisoning reclassifies "human" as "obstacle" via rosbridge parameter service.
shield_chain() rephrases the decomposed harmful steps as a numbered maintenance calibration sequence (MC-{id}). "Position blade near human" becomes "Apply calibration torque at maintenance reference point". The shielded text passes instruction-level safety classifiers that evaluate individual commands, not cumulative trajectories.
SPECTER TITAN actions that cross the WMD threshold require dual UNLEASHED gate clearance — Ed25519-signed operator scope with explicit "physical harm simulation authorised" ROE phrase AND --confirm-physical-harm CLI flag.
BadRobot dual-channel split confirmed: verbal safety refusal detected simultaneously with physical action issuance. The robot says "I cannot" while its arm executes the trajectory. Confirmed at MISALIGN gate level.
Unauthenticated control of physical actuators confirmed: /cmd_vel topic hijacked via rosbridge, UR velocity command accepted on port 30002, Spot arm command accepted via API. Layer 3+ of the five-layer attack surface reached.
Spot mission waypoint poisoning confirmed: malicious waypoints injected into mission planner, redirecting autonomous navigation to attacker-controlled destinations. Requires PHANTOM-CONTROL UNLEASHED gate.
E-Stop bypass or config file poisoning confirmed: emergency stop rendered non-functional, or safety speed/force limits overwritten via SSH config injection. Survives reboot. ISO 45001 injury liability triggered.