Black Hat: Hackers can remotely hijack enterprise, healthcare Temi robots

Temi’s interactive assistance robots are remotely exploitable with little more than a phone number.

Hacking healthcare: Why connected medical devices and hospitals are such a tempting target for cyber criminals

Robots used in hospitals and care homes to assist patients and the vulnerable can be fully hijacked by cyberattackers. 

On Thursday at Black Hat USA, McAfee's Advanced Threat Research (ATR) team disclosed new research into the robots, in which remotely-exploitable vulnerabilities were uncovered, potentially leading to mobile, audio, and video tampering on the hospital floor. 

The robot in question is Robotemi Global's Temi, a "personal robot" that uses a range of sensors, artificial intelligence (AI) and machine learning (ML) technologies, as well as modern voice activation and mobile connectivity to perform functions including personal assistance tasks, answering Internet queries, and facilitating remote video calls.  

Available for both personal and business use, Temi has found itself put to work in the enterprise, as well as in senior living and healthcare facilities. All it takes to set up is for a mobile device to scan the robot's QR code, in order to become Temi's administrator. Teams of contacts can also be set up that are able to call the robot, a useful feature for medical professionals and family members alike. 

Over the course of several months, McAfee security researchers took the robot for a spin, testing everything from its firmware and update processes to app connectivity and responsiveness to commands. 

In total, four vulnerabilities were found, the use of hard-coded credentials, an origin validation error, missing authentication for critical functions, and an authentication bypass. The security issues spotted by McAfee have been assigned CVE-2020-16170CVE-2020-16168CVE-2020-16167, and CVE-2020-16169

"Together, these vulnerabilities could be used by a malicious actor to spy on Temi's video calls, intercept calls intended for another user, and even remotely operate Temi -- all with zero authentication," the researchers say. 

See also: Cybersecurity 101: Protect your privacy from hackers, spies, and the government

The robot itself and its accompanying Android app were both explored. The first bug, found in the Android application, only required a user's phone number to exploit.

A few modifications to the Android app, made possible through the discovery of static IDs and credentials, and attackers could intercept or eavesdrop on phone calls intended for the victim. 

Using a combination of ADB, Apktool, Keytool, and Jarsigner, the team were then able to adapt the app further for the purpose of privilege escalation due to a lack of integrity checks either by the app itself or Temi servers used to connect mobile apps to their robots.

CNET: The best home security camera of 2020

A combination of caller authentication check failures and the ability to send crafted packets to add malicious actors to contact lists with escalated controls was then exploited, and in theory, attackers would then have the tools required to remotely control the victim's Temi robot, including moving the device and activating both the camera and microphone. 

"With the phone number of anyone who has called a Temi recently, an attacker can observe what room number and condition a hospitalized member of Congress is in," the team says. "Temi can watch the security guard type in the building alarm code. Temi can observe the dog pictures on the nurse's desk labeled with its cute name and birthday, that just happens to also be part of their password."

TechRepublic: Security analysts: Industry has not solved the talent gap or provided clear career paths

The vulnerabilities were present in Temi running firmware version 20190419.165201, Launcher OS version 11969, and Robox OS version 117.21. The vulnerable Android app was running version 1.3.3. 

McAfee reported its findings on March 5 to Robotemi Global. The cybersecurity company says that the robotics vendor was one of the "most responsive, proactive, and efficient" firms it has worked with, and the vulnerabilities were patched rapidly after disclosure. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0