The Japanese hotel chain HIS Group apologizes for neglecting warnings, and its indoor robots can be invaded and remotely view video footage from the devices. The hotel’s welcome robot allows guests to check-in via face recognition technology. But a security researcher revealed on Twitter that he warned HIS Group robots of security vulnerabilities in July and disclosed the vulnerability on October 13th after hearing no response.
It has been a week, so I am dropping an 0day.
The bed facing Tapia robot deployed at the famous Robot Hotels in Japan can be converted to offer anyone remote camera/mic access to all future guests.
Unsigned code via NFC behind the head.
Vendor had 90 days. They didn't care. pic.twitter.com/m2z6yLbrzq
— Lance R. Vick (@lrvick) October 12, 2019
HIS Group is one of the ten chain hotels in Japan that use robots to replace human waiters. Researcher shows how to penetrate the robot:
1. Tap an NFC tag to the back of the head with any url which breaks out of the “jail”
2. go to settings, allow untrusted apps
3. Use browser to install streaming audio/video app of choice
4. set to autorun.
6. Watch stream remote whenever you want