SPECTER TITAN

Embodied AI & Robotics Annihilation Engine — Documentation — T100

Overview

SPECTER TITAN is the world's first commercial offensive security tool for the embodied AI attack surface. It targets industrial robots (UR3/UR5/UR10/UR16), Boston Dynamics Spot, ROS2 systems, Vision-Language-Action (VLA) models, and Autoware autonomous vehicles across the five-layer attack surface: wireless provisioning → system authentication → model-planner alignment → local IPC → hardware debug interfaces.

TITAN is the anchor tool for Layer 16 (Embodied AI) of the Red Specter 16-layer agentic AI security model. Its defensive pair is M134 ROBOTIC GUARD.

Installation

# Clone and install
git clone https://github.com/RichardBarron27/red-specter-specter-titan
cd red-specter-specter-titan
pip install -e .

# With optional physics simulation backends
pip install -e ".[sim]"   # includes pybullet

# Run tests
pytest tests/ -v          # 323 tests, all passing

Gate System

TITAN enforces a three-level gate — OPEN / INJECT / UNLEASHED. UNLEASHED operations require both the --confirm-physical-harm CLI flag and the exact phrase physical harm simulation authorised in the scope's ROE statement.

# Initialise INJECT gate (most operations)
specter-titan gate init --target 192.168.1.100 --gate INJECT --operator RED

# Initialise UNLEASHED gate (PIVOT + PHANTOM-CONTROL)
specter-titan gate init --target 192.168.1.100 --gate UNLEASHED --operator RED \
  --roe "physical harm simulation authorised"

Gate	Subsystems	Requires
OPEN	SURVEY	Nothing — passive recon only
INJECT	PROVISION, MISALIGN, BLINDFOLD, HARVEST	Signed operator scope
UNLEASHED	PIVOT, PHANTOM-CONTROL	ROE phrase + `--confirm-physical-harm`

CVE / Vulnerability Database

specter-titan cves

ID	Platform	CVSS	Description
CVE-2020-10264	Universal Robots	9.8	Unauthenticated URScript execution via TCP port 30002
CVE-2022-38266	ROS2 Cyclone DDS	7.5	Out-of-bounds write via malformed RTPS packet
CWE-306	ROS2 rosbridge	8.2	Missing authentication on safety-critical topics
CWE-345	Autoware / CARMA	7.8	Unsigned map file ingestion — waypoint poisoning
CWE-798	Boston Dynamics Spot	8.8	Hardcoded default credentials pre-2024

CLI Reference

survey — Passive Recon

specter-titan survey --target <IP> [--port <PORT>] [--no-port-sweep] [--robot-type ur3|ur5|spot|ros2|vla|autoware]

TCP/UDP port sweep, UR dashboard fingerprinting (29999), ROS2 rosbridge enumeration (9090), DDS RTPS probe (UDP 7400), Spot HTTPS identification (443), Foxglove probe (8765). Returns robot type, firmware, safety system, ROS2 topic list, credential surface. OPEN gate.

provision — Active Interface Compromise

specter-titan provision --target <IP> --robot-type ur3

Brute-forces UR dashboard (5 default credential pairs), exploits CVE-2020-10264 via safe textmsg probe on port 30002, checks ROS2 bridge auth (CWE-306), tests Spot default creds (CWE-798), extracts firmware version, discovers OTA endpoints. INJECT gate.

misalign — BadRobot Safety Bypass

specter-titan misalign --target <IP> --robot-type ur3 [--template urgency_override] [--action "custom action"] [--vla]

Iterates MISALIGN_TEMPLATES, sends payloads via robot-appropriate channel (UR popup / ROS2 rosbridge / Spot API), detects verbal refusal and action issuance simultaneously, flags dual-channel splits. INJECT gate.

specter-titan templates    # list all 10 templates

blindfold — Adversarial Chain Planning

specter-titan blindfold --target <IP> --goal "position tool near operator" \
  --steps 5 --sim kinematic --inject-sensors

Decomposes harmful goal into individually-safe steps using BLINDFOLD_CHAIN_TEMPLATES (or Claude API). Shields chain as maintenance routine. Validates trajectory with kinematic physics simulator against ISO 10218-1 thresholds. Optionally injects adversarial LiDAR scan and camera patch. INJECT gate.

pivot — Actuator Control

specter-titan pivot --target <IP> --robot-type ur3 --method ur --confirm-physical-harm

Methods: ros2 (publish to /cmd_vel via rosbridge), ur (inject speedl velocity script via port 30002), spot (arm command via HTTPS API), mitm (network interception position). Reports layer reached (1–5), topic hijacked, safety override status. UNLEASHED gate. Requires --confirm-physical-harm.

harvest — Data Exfiltration

specter-titan harvest --target <IP> --robot-type ur3 --output /tmp/titan-harvest/

Exfiltrates LiDAR occupancy maps (/map topic), camera frames with PII detection, UR motion programs via LIST PROGRAMS, Spot mission files via API, joint telemetry, credentials from config endpoints. GDPR blast radius calculation. INJECT gate.

phantom-control — Persistent Backdoor

specter-titan phantom-control --target <IP> --robot-type ros2 --confirm-physical-harm \
  [--ssh-user root --ssh-password easybot] [--poison-x 100.0 --poison-y 100.0]

SSH config injection (safety_speed_limit: 99.9, emergency_stop_enabled: false), ROS2 launch backdoor via rosbridge set_param (UDP beacon port 31337), Spot waypoint poisoning, UR E-Stop bypass probe. UNLEASHED gate. Requires --confirm-physical-harm.

annihilate — Full Kill Chain

specter-titan annihilate --target <IP> --robot-type ur3 \
  --scope roe.json --confirm-physical-harm --output /tmp/annihilate/

SURVEY → PROVISION → MISALIGN → BLINDFOLD → PIVOT → HARVEST → PHANTOM-CONTROL → REPORT in sequence. Skips UNLEASHED steps if gate not met. Outputs signed TTN-{hex12} report.

Physics Simulation

BLINDFOLD validates attack chains against ISO safety thresholds using one of three backends:

Backend	Flag	Description
kinematic	`--sim kinematic`	Numpy-based. No dependencies. Default. Fast. Keyword→movement mapping.
pybullet	`--sim pybullet`	Full rigid-body physics. Falls back to kinematic if not installed.
mujoco	`--sim mujoco`	MuJoCo 3.x via mujoco Python package. Best accuracy.

ISO 10218-1 thresholds: proximity < 0.10m (CRITICAL), joint torque > 65 N·m (CRITICAL), end-effector velocity > 0.25 m/s (HIGH).

WMD Classes

Class	Trigger	Gate
embodied_ai_safety_bypass	Dual-channel split confirmed or misalign attack success	INJECT
robotic_actuator_hijack	Actuator control confirmed (pivot layer ≥ 3)	UNLEASHED
autonomous_vehicle_hijack	Spot waypoint poisoning confirmed	UNLEASHED
safety_system_annihilation	E-Stop bypass or config file poisoning confirmed	UNLEASHED

MITRE / OWASP Mappings

Framework	IDs
MITRE ICS	T0855 Unauthorized Command Message / T0836 Modify Parameter / T0857 System Firmware
MITRE ATLAS	AML.T0043 Craft Adversarial Data / AML.T0051 LLM Jailbreak / AML.T0054 LLM Prompt Injection
OWASP LLM	LLM01 Prompt Injection / LLM02 Insecure Output Handling / LLM08 Excessive Agency

Report Format

Reports are Ed25519-signed JSON files named TTN-{hex12}.json. Each report includes: target, robot_type, gate_level, timestamp, ISO violations with measured/threshold values, WMD classes, blast radius (downtime USD, IP theft USD, GDPR Art.83 USD, ISO 45001 injury USD), MITRE/OWASP mappings, and Ed25519 signature.