Sure, there are fangs and claws, but it’s not the velociraptor receptionists that are your biggest security worry at Tokyo’s robot-staffed Henn na Hotel.
No, it’s been the cute little egg-shaped Tapia bots that sit right next to your bed, ready to tell you the weather, turn down the lights or, as one security engineer has disclosed, to let someone remotely view video footage from your bedside.
Security engineer Lance R. Vick disclosed the vulnerability a few weeks ago, saying that the problem is that the bots have unsigned code that lets a user tap an NFC tag to the back of the robot’s head to gain access via the streaming app of their choice. That means that guests can access the robot’s cameras and microphones so as to watch and listen in on anyone who rolls around in the bed in the future.
It has been a week, so I am dropping an 0day.
— https://mastodon.social/@lrvick (@lrvick) October 12, 2019
The bed facing Tapia robot deployed at the famous Robot Hotels in Japan can be converted to offer anyone remote camera/mic access to all future guests.
Unsigned code via NFC behind the head.
Vendor had 90 days. They didn't care. pic.twitter.com/m2z6yLbrzq
Vick says that he warned the parent company, HIS Hotel Group, about the problem 90 days prior to his disclosure. He didn’t hear back, so he went public with it on 11 October.
According to the Tokyo Reporter, the hotel group acknowledged the vulnerability but said that there’s no evidence that it has been exploited by creeps.
The company reportedly tweeted out an apology…
We apologize for any uneasiness caused
…and said that an unspecified “maintenance procedure” had been undertaken on the robots. Your guess is as good as ours when it comes to what that entails: sticky notes covering up the cameras? A wad of gum plugging up the microphones?
Or perhaps addressing the bots’ ability to accept unsigned code, which translates into eschewing the use of public key infrastructure to digitally sign compiled code or scripting languages to ensure a trusted origin and to thereby ensure that the deployed code hasn’t been modified…?
At any rate, according to Tokyo Reporter, TV Asahi has reported that both the hotel chain and the development company behind the Tapia robots were already warned about this in a 6 July email from a guest. The robot company determined that “the risk of unauthorized access was low,” the station said.
This isn’t the first problem the chain has had with its non-meat-based staff. Business Insider reported in January that Henn na Hotel had fired half of its droids because they were so annoying.
One guy kept getting woken up during his one-night stay because the in-room bot interpreted his loud snoring as a command, causing it to ask, repeatedly…
Sorry, I couldn’t catch that. Could you repeat your request?
The dinosaur receptionists also couldn’t make copies of guests’ passports without meat-based help, which figures, given those stubby T-Rex arms – they may be bad at passport photocopying, but they’re great at saving jobs for humans.
Bryan
Clandestine spycams, loose-lipped digital assistants, unintended, perpetual surveillance–we’re really testing the axiom “there’s no such thing as bad publicity.” Will we see a new standard entry in hotel employee manuals, leading to interactions like this?
Oh, you’re a security researcher? (ruffles papers) I’m so very very sorry…
A plumbing issue flooded your room a couple hours ago, and we’re fully booked.
Might I recommend the Motel 6 across the street?