The IoT has thrown up a fresh set of vulnerabilities, this time in a telepresence robot from Double Robotics.
Double Robotics Telepresence Robot offers a mobile conferencing device that allows the remote user to roam around an office for "face-to-face" conversations.
Security researchers at Rapid7 disclosed multiple vulnerabilities with the kit, largely divided into three categories:
- Unauthenticated access to data: An unauthenticated user can gain access to Double 2 device information including serial numbers, current and historical driver and robot session information and GPS coordinates.
- Status user session management: The access token that is created during account assignment to a robot never changes. If this is compromised, it can be used to take control of a robot without a user account or password.
- Unrestricted Bluetooth pairing: The pairing process between the mobile app and robot drive does not require the user to know the PIN. Once paired, a hacker with access to a high gain antenna might be to can take control of the drive unit from up to one mile away.
The vendor played down the impact of the research, led by Rapid7’s Deral Heiland, while thanking security researchers for their efforts.
Double Robotics’ co-founder and chief exec, David Can, said: "Rapid7's thorough penetration tests ensure all of our products run as securely as possible, so we can continue delivering the best experience in telepresence. Before the patches were implemented, no calls were compromised and no sensitive customer data was exposed. In addition, Double uses end-to-end encryption with WebRTC for low latency, secure video calls."
More details of the telepresence robot research can be found in a blog post by Rapid7 here. ®