Telepresence robots from Vecna Technologies can be hacked using a suite of five vulnerabilities. The flaws can be combined to allow an attacker full control over a robot, giving an intruder the capability to alter firmware, steal chat logs, pictures, or even access live video streams.
Vecna has already patched two of the five vulnerabilities and is in the process of addressing the other three.
- CVE-2018-8858: Insufficiently Protected Credentials - Wi-Fi, XMPP - Patch Pending
- CVE-2018-8860: Cleartext Transmission of Sensitive Information - Firmware - Patched
- CVE-2018-8866: Improper Neutralization of Special Elements - RCE - Patched
- CVE-2018-17931: Improper Access Control (USB) - Patch Pending
- CVE-2018-17933: Improper Authorization (XMPP Client) - Patch Pending
The flaws were discovered earlier this year by Dan Regalado, a security researcher with IoT cyber-security firm Zingbox.
The vulnerabilities affect Vecna VGo Celia, a telepresence robot that can be deployed in the field but controlled from a remote location. Telepresence robots are equipped with both a microphone and a video camera and sit on movable rigs.
They are usually found in hospitals, to allow doctors to interview patients from afar, in schools, to allow sick children to attend classes or professors to give classes while on the road, or in factories to allow technical inspections from authorized personnel.
"Because the robot performs firmware updates over HTTP, an attacker with access to the same network segment where the robot is connected can intercept the update," said Regalado in a research paper published this week.
The attacker can poison the firmware with malicious code, or analyze it for flaws he can exploit at a later date. This last scenario is what Regalado did.
He found that Vecna devs had left a developer tool active on the robot that made the device vulnerable to a trove of attacks. This tool, a CGI script, allowed the attacker to execute commands with root privileges on the device.
Regalado says the attacker can use this vulnerability to access internal robot functions, but could also use the infected robot to attack other devices on an organization's internal network.
Vecna has already patched these two issues, CVE-2018-8860 and CVE-2018-8866, but Regalado says there's another one just as bad.
He says that CVE-2018-17931 lets an attacker plug in a USB thumb drive into a robot and the robot's firmware will execute a file hosted on the USB stick (/config/startup.script) with root privileges, giving the attacker the opportunity to hijack the device.
Regalado also discovered CVE-2018-8858. This flaw lets an attacker recover WiFi passwords that the robot uses to connect to an organization's internal network or the XMPP credentials that the robot owner uses to connect to the device from remote locations.
CVE-2018-17933, the last of the three unpatched vulnerabilities, resides in the XMPP client, which is the heart of the robot's firmware, working as a tunnel between the remote user and the telepresence robot's internal functions.
The XMPP client has access to everything, and Regalado says an attacker could abuse this flaw to execute any commands he wants, allowing him to steal chat logs, pictures the robot has taken, or even dump raw video feeds as they're streamed and send the video files to an attacker.
Knowing that many of these telepresence robots are also deployed in enterprise boardroom environments, an attacker intent on economic espionage can use these robots to gain access to private intellectual property, or to attend closed meetings where sensitive information may be exchanged, information that can is extremely valuable for insider trading.
UPDATE [October 19, 13:00 ET]: A Vecna spokesperson told ZDNet that the Zingbox report and an ICS CERT advisory contained outdated information and said that three flaws were fixed, not just two. He also confirmed that fixes will be arriving for the last two unfixed bugs.
"CVE-2018-8858 was fixed along with the two others mentioned when they were originally identified earlier this year. Note that the only two not addressed have different ICS-CERT numbers because they are new and not disclosed to us. We will be fixing them immediately."
- Oracle patches 301 vulnerabilities, including 46 with a 9.8+ severity rating
- Security flaw in libssh leaves thousands of servers at risk of hijacking
- After two decades of PHP, sites still expose sensitive details via debug mode
- Chrome, Edge, IE, Firefox, and Safari to disable TLS 1.0 and TLS 1.1 in 2020
- Microsoft JET vulnerability still open to attacks, despite recent patch
- Microsoft Windows zero-day vulnerability disclosed through Twitter TechRepublic
- These popular Android phones came with vulnerabilities pre-installed CNET