Double Robotics telepresence robots, marketed as a mobile conferencing tool giving remote workers a physical presence at an office, were recently patched against vulnerabilities that could be abused by an attacker.
Researchers at Rapid7 today disclosed details on three vulnerabilities in the robots, two of which were patched in mid-January; the vendor decided against patching the remaining issue.
The robots are best described as a trimmed down Segway that carry an iPad which can be used for remote video feeds, giving a telecommuter a face-to-face meeting with colleagues, for example. The telecommuter can remotely drive their robot around the office; the devices weigh less than 20 pounds and the iPad can be held up to five feet off the ground.
Deral Heiland, research lead at Rapid7, privately disclosed the vulnerabilities to Double Robotics on Jan. 9 and seven days later the vendor had deployed server-side patches addressing vulnerabilities that were accessible through the company’s cloud API. An attacker with physical access to the device could exploit these vulnerabilities, capture data from the devices and possibly remotely control them.
Heiland said one vulnerability allowed him to access device information including serial numbers, installation keys, and GPS coordinates. By incrementing an offset number in the API URL, Heiland could enumerate historical and current session data, as well as robot and user installation keys.
Another issue he discovered was around static user tokens that could be accessed by a local attacker or via a man-in-the-middle attack. A successful exploit would allow an attacker to grab the robot_key from the device’s iPad, which could then be used to enumerate the user access tokens that enable remote control of the robot.
Both vulnerabilities were patched server-side on Jan. 16, Heiland said.
“Before the patches were implemented, no calls were compromised and no sensitive customer data was exposed,” said David Cann, Co-Founder and CEO, Double Robotics. “In addition, Double uses end-to-end encryption with WebRTC for low latency, secure video calls.”
The second vulnerability could be abused to learn the driver tokens for all users allowed remotely control a robot, he said.
“The token always exists and never changes,” Heiland said. “The token works like a session key. You could control it from anywhere once it’s compromised. There’s a complex UUID, so you really can’t guess it. You have to compromise it, but once you do, you own the robot.”
Heiland said the two patches required, for the first one, changing the API so that it could not arbitrarily query data against all sessions, and for the second, changing the robot key so that when it requested the API, it would not return all users’ driver tokens.
The third vulnerability was in a weak and insecure Bluetooth pairing process between the iPad head unit, which controls the motor unit of the robot. Heiland said that in cases where the head unit is shutdown and no longer paired with the base, anyone within Bluetooth range could pair to it without the need for a token. Double Robotics did not deem this a significant security issue and elected not to patch it. Instead, it suggests ensuring that the whole unit is shut down, not just the head.
Heiland said the more serious issues leaked critical data, including longitude and latitude information, which when paired with device data, could be used to map devices to organizations. Pairing that information with the leaked session keys could expose businesses to risk.
“From attack standpoint, it’s too much data exposed,” Heiland said. “If I worked in an office with access to a robot and had this data, there would be nothing stopping me to be able to get access, take over a robot, drive around and be able to see with it the video and audio.
“We caught this soon enough and the vendor was really quick and responsive with the fix,” Heiland said. “From a risk standpoint, if you had no access to the robot, the risk is minimal for a business. With physical access and if nefarious enough, the risk would go up. It would not take a lot of work to set this up, watch how it communicates, capture data and discern the problems associated with this.”