Pierluigi Paganini October 23, 2019

The Japanese hotel chain HIS Group admitted that its in-room robots were vulnerable and could allow hackers to remotely view video footage from the devices.

The personnel at the Henn na Hotel managed by the Japanese hotel chain HIS Group is composed of robots that provide hospitality services to the guests.

The HIS Group hotel chain has 10 locations in Japan that used robots instead of human personnel to provide some services.

The robots use facial recognition to perform check-in operations before access to their rooms and assist them during their stay at the hotel. Now the HIS Group admitted that the in-room robots were vulnerable to hack and could allow remote attackers to view video footage from the devices.

On October 12, 2019, the researcher Lance R. Vick (@lrvick) revealed that he reported a zero-day flaw in the robots to the company in July, but he was ignored by the HIS Group.

The expert discovered an “unsigned code” that could allow an attacker to access video footage via the streaming app of their choice by tapping an NFC tag to the back of robot’s head.

The expert explicitly mentions Tapia robots used in a specific hotel, it is not clear if other locations use different models of robots.

“The operator of the robot-staffed Henn na Hotel chain announced last week that a modification has been made to prevent exploits by guests, reports TV Asahi (Oct. 18).” reported the Tokyo Reporter.

“On October 16, travel firm H.I.S. Hotel Group acknowledged that it had been possible for persons to gain unauthorized access to its 100 Tapia robots at Henn na Hotel Maihama Tokyo Bay, located near Tokyo Disney Resort.“

The HIS Group apologized for any uneasiness caused.

This was not the first time that the Tapia robots used by the hotel chain made the headlines. On July 6, the company was informed by a guest about a security flaw affecting this model of robots.

According to TV Asahi, the manufacturer of the Tapia robots was informed of the issue, but it determined that “the risk of unauthorized access was low,”

Pierluigi Paganini

(SecurityAffairs – Tapia Robots, zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]