Double Robotics Telepresence Robot can be hacked

Rapid7 researchers have discovered a number of vulnerabilities in the Double Robotics Telepresence Robot, the company’s iPad-based telepresence device that looks a bit like a Segway.

About the Double Robotics Telepresence Robot

The robot allows remote users to simulate a physical presence during a meeting, and facilitates face-to-face interaction with the other participants.

It uses gyroscope and accelerometer sensors in its base to easily move around, and can be controlled with a desktop (Mac or Windows) an iPhone or an iPad.

Found vulnerabilities

The researchers have found three types of vulnerabilities:

• Unauthenticated access to data – An unauthenticated user could gain access to Double 2 device information, including device serial numbers, current and historical driver and robot session information, device installation keys, and GPS coordinates.
• Static user session management – The access token which is created during account assignment to a Robot was never changed or expired, and if compromised, it could be used to take control of a robot without a user account or password.
• Weak Bluetooth pairing – The pairing process between the mobile application (iPad) and robot drive unit does not require the user to know the challenge PIN. Once paired with the robot drive unit, a malicious actor can download the Double Robot mobile application from the Internet and use it (along with the web services) to take control of the drive unit.

Company reaction

The vulnerabilities were responsibly disclosed to Double Robotics, and the company took only a week to push out fixes for the first two flaws. No user action is needed, as the patches were implemented on the Double Robotics servers.

The third issue won’t be patched.

“Regarding the open Bluetooth pairing question, Double is always connected to the iPad via Bluetooth and the iPad is always on and receiving charge from the base, so the connection cannot be hijacked or intercepted,” they explained the reasoning behind that decision.

“The Bluetooth connection is also a very short range, so an attacker would need to be within 30-50 feet of Double (i.e. already have access to the facility) and catch it in a moment when both the iPad’s battery has died, yet the robot base still has some battery left. There is also no microphone or camera accessible through Double’s Bluetooth connection, so the attacker wouldn’t have access to any communications. Because of this extremely low risk, we do not see the need for a pairing code.”

The company made sure to note that they consider the vulnerabilities to be non-critical, and that no calls were compromised and no sensitive customer data was exposed before the patches were implemented.

All in all, they should be applauded for how swiftly and well they handled the disclosure.