A Japanese hotel chain called “Henn na” that uses robots in lieu of human staff is wrestling with bedside bots that researchers hacked to view video footage from guest rooms.
The chain’s parent, HIS Group, owns 10 locations throughout Japan that leverage robots with facial recognition capability for check in and in-room concierge services, among other things. Unfortunately, independent researcher Lance R. Vick found a zero-day flaw in the chain’s in-room Tapia robots that would allow a guest to establish the equivalent of a backdoor that would give them access to video and audio streams remotely, on an ongoing basis, in order to spy on the guests that stay in the room after them.
It’s unclear whether anyone other than Vick actually compromised the devices, but Joseph Carson, chief security scientist at Thycotic, told Threatpost that the potential for malicious activity extends beyond voyeurism.
“Anything that is connected to the internet, whether it be a laptop, phone, webcam or even a hospitality robot, are all exposed to the risk of being hacked and abused,” he said. “Devices that contain cameras used for simple functions, such as motion sensors, can absolutely be abused to record video, analyze that data and perform voice or facial recognition….While that data can be used to abuse privacy of the occupants of the hotels, when we add technology such as machine intelligence [or artificial intelligence], then it can get catastrophic in the future when we add the risks of deep fakes that can then turn this data into complete digital identity theft. We need to approach the future with caution and responsibility and embrace technology.”
Vick reported the zero-day to the vendor in July, but that the vendor “didn’t care.”
It has been a week, so I am dropping an 0day.
The bed facing Tapia robot deployed at the famous Robot Hotels in Japan can be converted to offer anyone remote camera/mic access to all future guests.
Unsigned code via NFC behind the head.
Vendor had 90 days. They didn't care. pic.twitter.com/m2z6yLbrzq
— Lance R. Vick (@lrvick) October 12, 2019
The bug exists thanks to unsigned code that opens up access to a near field communication (NFC) tag inside the robot. An NFC tag is a small microchip with content embedded on it that can be read by in-range mobile devices – that range is mere inches, so generally, NFC content is read by “tapping” a smartphone on an NFC reader. Tags can also be programmed to launch a URL or connect to applications (“tap to pay” mechanisms at stores are based on NFC).
Thus, Vick said that exploitation of the robot bug is trivial and requires a minor amount of NFC tag reprogramming – made possible because of the unsigned code. Vick noted on Twitter that an attacker would need to “tap an NFC tag to the back of the [robot’s] head with any URL which breaks out of the ‘jail’; go to settings, allow untrusted apps; use browser to install streaming audio/video app of choice; set to autorun; reboot; watch stream remote whenever you want. It is that easy.”
“Finding an unsecured NFC tag inside the device was so deceptively simple it highlights how bad [internet of things] IoT device manufacturers really are at security,” Chris Morales, head of security analytics at Vectra, told Threatpost. “I’m not a fan of regulation, but in this case, until some form of base, minimum security standards exist for IoT device manufacturers, we will continue to see these kind of tricks. These aren’t even hacks. They are poorly configured devices with glaring security and privacy weaknesses.”
Reportedly, HIS apologized and said that “a modification has been made to prevent exploits by guests, reports TV Asahi,” according to the Tokyo Reporter. The outlet also reported that the manufacturer of the Tapia robots determined that “the risk of unauthorized access was low,” despite the assessment of the researcher.
“If I were staying at a hotel that had a robot with facial recognition and video cameras I would throw a towel over its head,” Morales told Threatpost. “IoT device manufacturers have a horrible track record for securing access to their devices. Installing one in the name of convenience that happens to also be able to record everything I do in what is supposedly a private room is creepy.”
Researchers noted that situations like this are only sure to become more common as IoT proliferates.
“We end up in a situation that is new to humanity, one where we are monitored more aggressively than our predecessors imagined, and not by central authorities but by criminals,” said Thomas Hatch, CTO and co-founder at SaltStack, speaking to Threatpost. “We can say with a level of confidence that the known hacks of such devices are just the tip of the iceberg. With our lives so thoroughly intertwined with connected technologies with such a serious lack of security oversight, events like this will almost definitely become more common. Even large companies with large resources are struggling to keep up with securing their assets, let alone smaller companies that are pushing these devices out to the world. Many smaller companies lack the proclivity or motivation to secure such devices.”
What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic on Oct. 23 will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.