Internet-of things is seemly always vulnerable to security flaws. From individual users to the corporate sector, these IoT flaws have always impacted users. Once again, a Japanese hotel fell victim to such a vulnerability in its in-room robots. Exploiting the flaw could allow spying on the customers.
Vulnerability In Japanese Hotel Robots
Security researcher Lance R. Vick spotted a vulnerability in the Tapia robots installed in a Japanese hotel. He found that the zero-day vulnerability, upon exploit could allow spying on customers.
The vulnerable robots served as in-room assistants in the Henn na Hotel Maihama Tokyo Bay. The Henn na Hotel chain of hotels belongs to the H.I.S. Hotel Group. The robots at these hotels provided guests with online facilities, such as weather updates, online shopping, and other services. To use the facility, the guests would have to connect the robots to their smartphones.
Due to the vulnerability, it became possible for anyone to exploit the robots to remotely view the hotel room.
The flaw surfaced online after the researcher shared about it in his tweet.
It has been a week, so I am dropping an 0day.
The bed facing Tapia robot deployed at the famous Robot Hotels in Japan can be converted to offer anyone remote camera/mic access to all future guests.
Unsigned code via NFC behind the head.
Vendor had 90 days. They didn't care. pic.twitter.com/m2z6yLbrzq
Specifically the NFC tag in the robots allowed for unsigned code to run. Highlighting the exploit in his tweet, Vick stated,
1. Tap an NFC tag to the back of the head with any url which breaks out of the "jail"
2. go to settings, allow untrusted apps
3. Use browser to install streaming audio/video app of choice
4. set to autorun.
6. Watch stream remote whenever you want
It is that easy.
Hotel Apologized And Pledged A Fix
As highlighted by Tokyo Reporter, Vick first spotted the vulnerability in July 2019. He even sent an email to the hotel authorities informing them of the flaw. However, according to a statement from H.I.S., the officials treated the email as spam and paid no heed.
Eventually, when the researcher witnessed no action from HIS, he disclosed the vulnerability publicly via tweet.
Later on, the hotel authorities took the matter seriously and updated the robots with patches. In addition to apologizing for the flaw, they have also assured no malicious exploitation of the bug earlier. As stated in their statement [translated],
All robots were withdrawn from the guest room and investigated. It has been confirmed that it has not been installed.
Let us know your thoughts in the comments.