Japan's Henn na Hotel chain, owned by the HIS Group, uses "bed-facing Tapia robots" in its rooms; these robots turn out to be incredibly insecure: you can update them by pairing with them using a NFC sensor at the backs of their heads. The robots do not check the new code for cryptographic signatures, meaning that malicious actors can install any code they want.
Security researcher Lance R. Vick discovered the vulnerability and repeatedly informed HIS Group; after they failed to take any action over 90 days, Vick publicly disclosed the defect in his Twitter stream on Oct 13.
The manufacturer has now apologized "for any uneasiness caused" but continued to minimize the privacy harms, stating that "the risks of unauthorized access were low." They say they have now updated the robots.
According to Vick, the Tapia robot is slated to be widely deployed during the 2020 Olympics. The hotel chain received a separate security warning from a guest on July 6 and does not appear to have acted on it.
In Vick's thread, he offers this advice: "Don't trust that random contract engineers working on tough deadines took the time to put your safety and security first. Stay curious, and take everything apart. You will find the security flaws. They are everywhere."
On October 16, travel firm H.I.S. Hotel Group acknowledged that it had been possible for persons to gain unauthorized access to its 100 Tapia robots at Henn na Hotel Maihama Tokyo Bay, located near Tokyo Disney Resort.
The pod-like Tapia robots, which provide guests with everything from the weather to the ability to shop online in their rooms, utilize a communication protocol that allows guests to connect their smartphone.
It has been a week, so I am dropping an 0day.
The bed facing Tapia robot deployed at the famous Robot Hotels in Japan can be converted to offer anyone remote camera/mic access to all future guests.
Unsigned code via NFC behind the head.
Vendor had 90 days. They didn't care. pic.twitter.com/m2z6yLbrzq
— Lance R. Vick (@lrvick) October 12, 2019