New research from Zingbox has detailed vulnerabilities in telepresence robots that hackers could use to access sensitive data, including chat conversations, images, and live video streams.
Initially discussed at the RSA security conference in April 2018, Zingbox said its security researchers worked with manufacturers to discover five Common Vulnerabilities and Exposures (CVEs), which ranged from unprotected credentials to unauthorized remote access. The company said it is releasing the details of the vulnerabilities now that manufacturers have had a chance to address the issues.
“While much of the burden of ensuring device security falls on the healthcare providers, the collaboration between device manufacturers and security vendors is a critical component to assist healthcare providers,” said Daniel Regaldo, principal security researcher at Zingbox, and co-author of Gray Hat Hacking. “I commend the quick actions by the device manufacturers, which enable us to share additional details regarding this vulnerability and educate the industry on the latest cyber threats.”
Vulnerabilities fixed or in process of being patched
Researchers selected the VGo robot, nicknamed “Celia,” from Vecna Technologies, performing a vulnerability assessment “to try to gain unauthorized access and control of it,” the report stated.
The five vulnerabilities discovered, and reported to the manufacturer, included:
- CVE-2018-8858: Insufficiently Protected Credentials – Wi-Fi, XMPP (Patch Pending)
- CVE-2018-8860: Cleartext Transmission of Sensitive Information – Firmware (Patched in firmware version 18.104.22.168662)
- CVE-2018-8866: Improper Neutralization of Special Elements – RCE (Patched in firmware version 22.214.171.124662)
- CVE-2018-17931: Improper Access Control (USB) (Patch Pending)
- CVE-2018-17933: Improper Authorization (XMPP Client) – (Patch Pending)
Regaldo said it was highly probable that other telepresence robots could have the same mistakes in implementation as the Vgo.
“It is hard to say if other robots would be affected by the same vulnerabilities without testing them,” he said. “However, the bugs identified in Vecna’s robot are related to common technology used across IoT devices, meaning firmware updates, shell command injection, and USB Autorun.”
The report said there were several key lessons from the tests, including:
- As with IT security, it is important to involve Internet of Things security from the design phase of product development.
- IoT devices need physical interaction with humans by design, so physical security needs to be improved.
- IoT manufacturers and security researchers need to start collaborating more closely. Bug bounty programs are the best approach in this regard.
- Trigger real-time alerts so security teams can take actions immediately, and network devices can react accordingly.
Security around robotics remains a high concern for many – earlier this year, researchers revealed vulnerabilities in the Robot Operating System where hackers could take over popular service robots Pepper and NAO from SoftBank and install ransomware.
Zingbox is offering the full report here for a free download. Robotics Business Review has reached out to Vecna Technologies to get more details on the pending patch schedule, and we will update this story once we hear back.