TOKYO (TR) – The operator of the robot-staffed Henn na Hotel chain announced last week that a modification has been made to prevent exploits by guests, reports TV Asahi (Oct. 18).
On October 16, travel firm H.I.S. Hotel Group acknowledged that it had been possible for persons to gain unauthorized access to its 100 Tapia robots at Henn na Hotel Maihama Tokyo Bay, located near Tokyo Disney Resort.
The pod-like Tapia robots, which provide guests with everything from the weather to the ability to shop online in their rooms, utilize a communication protocol that allows guests to connect their smartphone.
There are currently 10 hotels in the Henn na Hotel chain operating nationwide. Other robots on staff at the hotels resemble people and dinosaurs and provide services at front desks.
According to H.I.S., the unauthorized access of the Tapia robots included the ability for a guest to view the room remotely. However, the company added that there was no evidence that a guest had previously gained such access.
“We apologize for any uneasiness caused,” H.I.S said in a tweet. The company also said that a maintenance procedure had been undertaken on the robots.
The matter emerged via Twitter. On October 12, security engineer Lance R. Vick (@lrvick) tweeted, “The bed facing Tapia robot deployed at the famous Robot Hotels in Japan can be converted to offer anyone remote camera/mic access to all future guests.”
It has been a week, so I am dropping an 0day.
The bed facing Tapia robot deployed at the famous Robot Hotels in Japan can be converted to offer anyone remote camera/mic access to all future guests.
Unsigned code via NFC behind the head.
Vendor had 90 days. They didn’t care. pic.twitter.com/m2z6yLbrzq
— Lance R. Vick (@lrvick) October 12, 2019
Not the first time
This was not the first time that the chain had become aware of the possibility of unauthorized access to its Tapia robots. On July 6, the chain received an email from a guest who pointed out a “security vulnerability” in the robots.
After the development company behind the Tapia robots was contacted, it was determined that “the risk of unauthorized access was low,” according to TV Asahi. The company also determined that the motivation of the guest was a monetary return.
However, the network points out, the company put its guests at risk for three months.
Update: Vick later said via Twitter that he sent the first email also.
The guest that reported the issue on July 6th was also me.
I simply asked if they had a bug bounty program or appropriate department to report the details of the issue. I would of gladly provided details for free had they replied stating they do not have such a program/dept.
— Lance R. Vick (@lrvick) October 22, 2019