A Japanese hotel chain, HIS Group, has apologized for ignoring warnings that its in-room robots were hackable and enabled individuals to remotely view video footage from the devices.
The Henn na Hotel is staffed by robots, says a news report; guests can be checked in by humanoid or dinosaur reception bots before proceeding to their room and facial recognition technology lets customers into their room, and then a bedside robot assists with other requirements.
Several weeks ago a security researcher revealed on Twitter that he had warned HIS Group in July about the bed-bots being easily accessible, noting they sported "unsigned code" allowing an user to tap an NFC tag to the back of robot's head and allow access via the streaming app of their choice, says the news report. The researcher made the hack public after he did not hear back from the hotel. In addition, notes the report, the vulnerability allowed guests access to cameras and microphones in the robot remotely, so they could watch and listen to anyone in the room in the future.
In a tweet, the HIS Group apologized, says the news report, and said the robots had been updated to fix the vulnerability.
Joseph Carson, expert in cybersecurity and chief security scientist at Thycotic, says this vulnerability is not surprising. Anything that is connected to the internet, whether it be a laptop, phone, webcam or even a hospitality robot, are all exposed to the risk of being hacked and abused, he notes. "Devices that contain cameras used for simple functions, such as motion sensors, can absolutely be abused to record video, analyze that data and perform voice or facial recognition. In many incidents, the vendors who manufacture them do not provide the ability to turn them off which means they focus purely on ease of use and almost always sacrifice security as a result."