Researchers at Rapid7 discovered several vulnerabilities in Double telepresence robots from Double Robotics. The vendor has addressed the more serious issues with server-side fixes.
Double is a robot that allows people to have a physical presence at their workplace or school without actually being there in person. The product, often described as an iPad on a stick, has been used by many companies and universities.
Rapid7 researchers discovered that the Double telepresence robot had been affected by at least three vulnerabilities, including ones that could have been, or can be, exploited to take control of the machine.
One of the flaws found by experts allowed an unauthenticated attacker to gain access to device information, including GPS coordinates, device serial numbers, current and historical driver and robot session data, a device installation keys. The security hole could have been exploited simply by incrementing the value of a parameter in a specified URL.
The second vulnerability is related to the access token (driver_token) created when an account is assigned to a robot. The problem, according to researchers, was that the token never changed or expired, allowing an attacker who possessed the token to remotely take control of a robot.
The access token could have been obtained via a SSL man-in-the-middle (MitM) attack or from the robot’s iPad.
The third weakness is related to the fact that an attacker does not need to know the challenge PIN when pairing the mobile application (i.e. the iPad) to the drive unit via Bluetooth, enabling them to take control of the drive unit.
However, there are some mitigations against potential attacks. The attacker needs to be in Bluetooth range – the distance can be up to one mile if a high-gain antenna is used – and only one mobile device can be paired with the drive unit at one time.
The vulnerabilities were reported to Double Robotics in December, and the unauthenticated data access and session management flaws were addressed in mid-January on the server side.
The vendor believes the Bluetooth pairing issue is not a serious vulnerability and it does not plan on fixing it. Nevertheless, Rapid7 believes users should be aware of the flaw.
“Rapid7's thorough penetration tests ensure all of our products run as securely as possible, so we can continue delivering the best experience in telepresence,” said Double Robotics co-founder and CEO David Cann. “Before the patches were implemented, no calls were compromised and no sensitive customer data was exposed. In addition, Double uses end-to-end encryption with WebRTC for low latency, secure video calls.”
Rapid7 also reported the vulnerabilities to CERT/CC. The organizations agreed not to assign CVE identifiers considering that only one instance of the software was affected and users were not required to take any action to apply the patches.
Rapid7’s security advisory comes just days after IOActive warned that many robots are affected by serious vulnerabilities.