If there happens to be a robot in your hotel room, no matter how seemingly innocent, you might want to make sure it’s spending the night somewhere it can’t see you.
This sounds again like a plot for some sci-fi movie (don’t they all?). But, the Henn-na Hotel in Japan had exactly this problem. The in-room robots were vulnerable to hackers who could potentially use them to spy on guests. Luckily, the hack didn’t happen, it was a security engineer who discovered the fatal flaw.
The Henn-na hotel is designed to be “the most efficient hotel in the world,” run 90% by robots as an entirely futuristic experience, that lofty goal just comes with a few extra security measures.
The robots in question are relatively cute, tableside, smart assistants, meant to function like an Amazon Alexa or Google Home that can set an alarm, turn on the lights, read the weather forecast etc. These little assistants face the guests, and although they weren’t designed to spy on them, they can be compromised to do so. They’re called Tapia robots, created by MJI Robotics in Tokyo in 2016. Cameras and microphones allow the device to watch and listen to its guest for the best user experience, but if there’s someone hacked into the bot, they can see and hear them as well.
Security Engineer Lance Vick informed the hotel of the security flaw, and after no response for 90 days he made the announcement public via twitter.
“The bed facing Tapia robot deployed at the famous Robot Hotels in Japan can be converted to offer anyone remote camera/mic access to all future guests. Unsigned code via NFC behind the head. Vendor had 90 days. They didn’t care.”
The Hotel of course, issued an apology that confirms after an investigation they confirmed “no unauthorized applications were installed” and all countermeasures pursued, and software updated.
This apparently was not the first mention of a security flaw, but Tapia robot’s manufacturer said in a report that “the risk of unauthorized access was low.” We guess that’s supposed to make guests feel better? It does not.
A quick reminder by security scientist at Thycotic, that anything connected to the internet can contain this type of vulnerability. “In many incidents, the vendors who manufacture them do not provide the ability to turn them off (cameras) which means they focus purely on ease of use and almost always sacrifice security as a result.”
For safe measure and security, allow your device to update each time it requests one. And if you’re ever in Japan to visit one of these famous hotels, we recommend just saying hello to the dinosaur working the front desk.
If you need help with cybersecurity contact DarkHound at [email protected]khoundsecurity.com.
Image Source: https://www.canva.com/design/DADqRx7V4XM/9Gv6W-eY54NwdO0RasORMg/edit