Researcher Finds Vulnerability in Japanese Hotels Tapia Robots

Internet-of things is seemly always vulnerable to security flaws. From individual users to the corporate sector, these IoT flaws have always impacted users. Once again, a Japanese hotel fell victim to such a vulnerability in its in-room robots. Exploiting the flaw could allow spying on the customers.

Vulnerability In Japanese Hotel Robots

Security researcher Lance R. Vick spotted a vulnerability in the Tapia robots installed in a Japanese hotel. He found that the zero-day vulnerability, upon exploit could allow spying on customers.

‏The vulnerable robots served as in-room assistants in the Henn na Hotel Maihama Tokyo Bay. The Henn na Hotel chain of hotels belongs to the H.I.S. Hotel Group. The robots at these hotels provided guests with online facilities, such as weather updates, online shopping, and other services. To use the facility, the guests would have to connect the robots to their smartphones.

Due to the vulnerability, it became possible for anyone to exploit the robots to remotely view the hotel room.

The flaw surfaced online after the researcher shared about it in his tweet.

Specifically the NFC tag in the robots allowed for unsigned code to run. Highlighting the exploit in his tweet, Vick stated,

Hotel Apologized And Pledged A Fix

As highlighted by Tokyo Reporter, Vick first spotted the vulnerability in July 2019. He even sent an email to the hotel authorities informing them of the flaw. However, according to a statement from H.I.S., the officials treated the email as spam and paid no heed.

Eventually, when the researcher witnessed no action from HIS, he disclosed the vulnerability publicly via tweet.

Later on, the hotel authorities took the matter seriously and updated the robots with patches. In addition to apologizing for the flaw, they have also assured no malicious exploitation of the bug earlier. As stated in their statement [translated],

All robots were withdrawn from the guest room and investigated. It has been confirmed that it has not been installed.

Let us know your thoughts in the comments.

Related posts

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

ZenHammer Memory Attack Exploits Rowhammer Against AMD CPUs