I’m not advising anyone to commandeer bedside hotel robots in order to spy on unwitting guests and curse the night with supernatural televisual activity. But if you wanted to, it would be really, disturbingly, easy. Fortunately for the guests of Japan’s storied robot hotels, an ethical hacker figured this out and reported the vulnerability.
On October 11th, four years after the launch of the grand robot hotel experiment by Japan’s Henn na Hotel chain, security engineer Lance R. Vick tweeted an unsettling image of one of the hotel’s smart home-enabled bedside eggs. In place of the robot’s leering cartoon eyes is an admin screen displaying unsigned code, meaning: any guest with the time and the will to figure out how to crack into the settings could have hypothetically accessed the robot’s eyes, ears, and brain by uploading an app.
Vick, who helps lead the ethical hacker group “#!”, sees the obvious salacious implications of bedside robo-peepholes, but more significantly, a cavalier acceptance of recording devices in public spaces. “I saw exposure as vital,” he said, “as this hotel chain has been reportedly trying to make deals to roll out their technology package to many more hotels leading up to the 2020 Olympics, which will greatly increase the risk this exploit might be used to spy on or blackmail people.” Given that there are nearly 8 billion people in the world, this seems like a close call.
It has been a week, so I am dropping an 0day.
The bed facing Tapia robot deployed at the famous Robot Hotels in Japan can be converted to offer anyone remote camera/mic access to all future guests.
Unsigned code via NFC behind the head.
Vendor had 90 days. They didn't care. pic.twitter.com/m2z6yLbrzq
— Lance R. Vick (@lrvick) October 12, 2019
Vick told Gizmodo that he’d informed the hotel and asked whether they had a bug bounty program or disclosure policy. Per standard practice, he offered them 90 days to act before publicising the news and followed up with a final warning, to no avail.
Ninety days, a few tweets, and a Tokyo Reporter story later, the Henn na Hotel Maihama Tokyo Bay put out a statement saying that it had removed the robots from the rooms, investigated them for unauthorised apps, and “took countermeasures against unauthorised access.”
Tapia robot manufacturer MJI Robotics also issued a statement saying that they had inspected all robots in H.I.S. Hotel Holdings and fixed the problem. “In the eventuality that a third party with malicious intents performs unauthorised operation by direct interactions, they cannot access the robot remotely through a network or other means. Only specific known products manufactured by us are vulnerable to this unauthorised operation issue.”
Vick reports that he’s privately told the hotel of other exploits and hopes it will take them seriously.
For the good netizens and aspiring digital lock-pickers among us, Vick gave Gizmodo a riveting PSA. Here is his tale.
Lance R. Vick: On July 6th, I was staying in the Maihama Tokyo Bay robot hotel because robots are fun, and it is close to Disney. The robot check-in with a dinosaur went great, and I was super amused by it. No issues there.
But then I noticed the cute robot in my room that was facing the bed. After exploring it a bit, I realised it had a Rock Paper Scissors app that used the camera. While adorable, the presence of a camera on a device like this was very concerning.
I help lead an ethical hacker group called “#!” where, among other things, we maintain some open source tools for building security and privacy-specialised Android-based operating systems. I recognised right away that this robot was an Android device, and, as with most IoT [Internet of Things] Android devices, I assumed common security corners were cut. I wear an NFC ring, and as I was exploring the back of the device with my hands, it generated a “boop”–evidence of a hidden NFC reader. I put my ring on the area again, which has an embedded URL.
Sure enough, the screen broke out of the “eyes” app into the main Android interface and launched a browser. From there, I found a random APK file which prompted the “go to settings to enable untrusted apps” notification, with a link to the “Settings” app. I was then able to check “enable untrusted apps,” install any app I wanted and set up said app to run on boot. In the most obvious and dangerous case, I could have installed VLC or another network streaming app to spy on future guests.
Gizmodo: What do you think is the worst-case scenario for a bad actor deciding to “update” a hotel full of these robots, aside from the very creepy implications?
Vick: Well, a number of other security researchers have demonstrated that through most microphones, you can pick up passwords typed nearby with surprisingly useful accuracy. Any microphone in a room that can be controlled by a third party is cause for real concern and I spend a lot of time trying to educate people on these types of risks. Blackmail is another very real option from either audio or video.
One could also use this to emulate a Wi-Fi hotspot, intercept network traffic, turn the air conditioner on or off randomly, change the TV channels or cause general chaos for fun or to terrorize someone. These devices control most of the other in-room devices like a universal remote. I know what teenager-me would have done, and it is not comforting to adult me today.
Gizmodo: What advice would you give to a layperson who wouldn’t know to take these steps?
Vick: If it has a camera or a microphone, and you don’t control the software for it, assume it is compromised. If you must have these devices in your home, you really should consider informing guests about them so they can adjust their activities in that space as they feel appropriate. That can be an Alexa or Google Home (as reported by others quite a bit in the last couple weeks), but it could also be a compromised smartphone, Smart TV, an in-room kiosk device, or a video conferencing system. I have personally compromised many of these classes of devices across my career, and most took very little skill.
Most of the time, vendors give themselves some simple way to get into an administrative interface. In Coke-mixing machines, for instance, you once were able just press the bubbles in the “water” screen to get to the admin interface to change the mixes. I learned this observing a child trying to poke the on-screen bubbles randomly in front of me in line.
Often, you can circumvent passwords on IoT devices by pressing buttons while applying power. I have successfully used this trick on aeroplane entertainment systems and price checker kiosks at major retail locations. Most Android and embedded Windows devices have a “volume” button and a “power” button somewhere, and you generally can get into the admin mode for these devices if you can find the buttons and try a few obvious combinations.
Generally, when looking at a new device, I start simply evaluating what the inputs are: NFC, WiFi, Bluetooth, USB via an on-the-go adaptor, any buttons that can be pressed during power-up, etc. Most of the time, vendors give themselves some simple way to get into an administrative interface.
When all else fails, I next go to more complicated methods like finding a “factory restore” image from a vendor website, unpacking it with a tool like “binwalk” and seeing if it requires cryptographic signatures to update or just allows anything. Almost always, it allows anything. In this case, you can just tweak the update image, then intentionally crash the device via any number of methods to enter a mode where it can take your modified update file. Other times, there is a network jack and you can just plug in, monitor some network traffic, see what URL it gets updates from, then feed it a fake one. Most of them take those blindly, too.
The real theme is that these vendors need to ensure their devices only take cryptographically-signed software supplied by the vendor, so no one else can mutate it. Many vendors don’t know how to do this, are working on tight deadlines, or simply don’t care. It is a bit complicated to do this right, I admit, but I maintain some open source tools vendors can reference or use directly make it much easier. I have done most of the legwork for free so vendors have fewer excuses, particularly considering most of these classes of IoT devices are Android-based.
TL;DR: Don’t trust that random contract engineers working on tough deadlines took the time to put your safety and security first. Stay curious, and take everything apart. You will find the security flaws. They are everywhere.
Gizmodo has reached out to Henn na Hotel Maihama Tokyo Bay and will update the post if we hear back.