Is the hotel robot voyeur? IoT companies that neglect security are a great "threat" | Business + IT
Open / Close Button User Menu User Menu Content
Related genres
Is the hotel robot voyeur?Security-ignoring IoT companies are a great "threat"
In October, a security engineer tweeted that a vulnerability in an assistant robot installed on the bedside of a "strange hotel" operated by HIS Hotel Holdings was pointed out, causing a problem that hotel vendors were forced to respond. Shortly before that, Panasonic, KDDI and others announced a project called "LIFE UP Promotion". The issue of home appliances and IoT security seems to be more of a concern, but the two cases make both companies and users think about how to interact with IoT in the future.
Freelance writer Shinji Nakao
Freelance writer Shinji Nakao
Freelance writer and editor. From ASCII book editing to O'Reilly Japan, he translates, writes, and interviews both on paper and on the Web. He has a lot of IT, but occasionally writes in automobile-related media. I've been using the internet (though I didn't say it) since UUCP.
- Hacker Discovers Bedside Robo Vulnerability
- IoT with diverse potential threats
- Physical security is also important for IoT devices
- Recognition that even companies are one of the threats
- The limits of business that "collect personal information"
- There is no future for IoT that neglects security
The vulnerability of the assistant robot installed in "Henn na Hotel Maihama" was discovered by an overseas security engineer. The engineer immediately reported to HIS Hotel Holdings, the hotel operator. The hotel side investigated with the robot development vendor (MJI), but no hacking or information leakage could be confirmed. He said he didn't dare to contact the whistleblower because he thought he was contacting him for the prize money. The discoverer said that he had not been contacted by the hotel even after 90 days, and said that the camera and microphone were via NFC (Near Field Communication Standard, which is often used for smartphone payments), along with a photo of the robot hacked by his Twitter account. You can control it with code. " This tweet was quoted and retweeted in Japanese, and it quickly became a hot topic in Japan. When the hotel and the development vendor investigated again, the vulnerability via NFC was confirmed, the software of the robot was repaired, and the related products were updated online. The discoverer reported that it was vulnerable and could be hacked, but MJI did not know that there was a problem with NFC. The discoverer stated that via NFC was the easiest method, so if the problem was correctly communicated to the development vendor, it would have been possible to confirm it immediately. However, in the case of bug bounties, it is a rule that the first contact does not give too much detail because it is necessary to get a reward (because the company may fix it and ignore the reporter). Such rules should also be remembered by companies that may be contacted.Related article ▲ Close ▼ Show all
In any case, it is difficult to handle vulnerability reports from outside, including bug bounties for prizes. There is a global framework for vulnerability information, and generally speaking, it is impossible to doubt the credibility of vulnerability reports from other than the appropriate organizations / organizations (NISC, JPCERT / CC, etc. in Japan). It's not possible. It's easy to criticize a hotel or vendor's response just by looking at the history and consequences of the incident, but it doesn't contribute much to solving the problem or defending itself. The lessons for service providers and development vendors are to be aware of bug bounties and social debugging, and in the case of IoT devices, be more careful about hacking, contamination, and attacks due to physical contact than PCs and servers. It's necessary. " Unlike PCs and servers protected in buildings and data centers, the risks of IoT devices that are carried around or installed outdoors are wide-ranging. This also applies to smartphones and tablets. There are various attack vectors such as wireless LAN, Bluetooth, NFC, infrared, USB terminal, SD slot, earphone jack, power cable, etc., each of which can introduce a threat. Earphone jack is a vulnerability that existed in Android smartphones. There used to be a version for debug mode that allowed serial communication via the earphone jack (now fixed). Techniques for reading signals from the noise by picking up a power cable have also been studied. On the development side, it is a rule that functions that are not used in the shipping version are not implemented in both hardware and software. If you dare to implement it for remnants during development, future extensibility, and maintenance, you should not neglect the final specification check and countermeasures. From the user's point of view, it is important to be aware that IoT products are difficult to take security measures. The size, price, installation location, usage, and purpose of the product are so diverse that it is difficult to put together all the measures. Especially the price and size issues are big. Products with low unit prices have limited countermeasure costs. If the terminal side and the edge side cannot process and the resources required for countermeasures cannot be secured, generally, there is no choice but to ask the service provider or development vendor to consider security measures on the network, hub node, or cloud. By traffic monitoring and log monitoring, fraudulent and suspicious communication and processing can be detected and used for prevention and countermeasures. Since these cannot be controlled from the user side, the countermeasures must be left to the provider / vendor. But that doesn't mean you have to be pessimistic. Most attack vectors other than the network cannot be attacked unless they approach or directly touch the device itself. In the case of a strange hotel robot, the discoverer actually stayed at this hotel and invaded the actual machine directly. Physical access can be handled with physical security. It is difficult to enter and exit rooms and screen users in hotels and restaurants, but since IoT home appliances are inside the house, a certain level of physical security (entrance / exit management) can be expected. In the case of a strange hotel, you can simply disable the NFC function of the robot to prevent unsigned codes from being accepted. Both can be software-like measures. MJI has already announced that measures have been taken. Also, it seems that the only robots equipped with NFC are those installed in Maihama. [Next page] Recognition that even companies are one of the threatsTo List
To List
To List
SB Creative Co., Ltd.
Business + IT is operated by SB Creative Corp. of SoftBank Group.
Copyright © SB Creative Corp. All rights reserved.
By registering as a business + IT member, you can subscribe to member-only content and e-mail newsletters, and invite you to special seminars!
Registration merit Member registration (free)
![A workaround that can be used immediately after the iPhone 13 freezes (Lifehacker [Japan version]) --Yahoo! News](https://website-google-hk.oss-cn-hongkong.aliyuncs.com/drawing/article_results_7/2022/3/3/45e4bce7ecbeb696b3a7fb4669c70965_1.jpeg)
