Telepresence Robots? Hackable.

Flaws found in telepresence robots by the firm Double Robotics could make it easy to take control of the devices remotely. (Image courtesy of Double Robotics.)

In-brief: Residents of Uncanny Valley have something more to worry about: telepresence robots by the firm Double Robotics contain numerous, exploitable vulnerabilities, the firm Rapid7 reports. 

Telepresence robots are those wheeled office compatriots: swinging into your cube, classroom or examining room with the overexposed face of some colleague or professional staring down at you from the mounted screen. A marvel of the modern, borderless office, telepresence already hovered in a kind of workplace “uncanny valley” – cool, but also unsettling in a way that can be hard to put your finger on.

Now there is more to worry about than just the “creep factor” with telepresence systems. According to research by the firm Rapid7, a leading model of telepresence robots used in offices is vulnerable to hacking, including remote,, wireless attacks that could put an attacker behind the wheel of the roving office robots.

Researcher Deral Heiland of the firm Rapid7 reported on the company’s blog on Monday that he discovered three vulnerabilities in the Double Robotics Telepresence Robot ecosystem. Together, they allow anyone to view sensitive information from the device including its serial numbers, GPS coordinates and device installation keys,  or take control of the robot  without a user account or password.

Among other things, Heiland found that the company stored sensitive information related to robot sessions insecurely. An attacker could view that information merely by incrementing an offset value in a URL. Also, Double telepresence robots use static tokens for user session management whenever a user is assigned to a Robot.

That means anyone who stole that token could re-use it to control the robot. Similarly, a Bluetooth interface on the Double Robotics systems is vulnerable to unauthorized access from anyone with an iPad and the Double Robot mobile application. “Once paired with the robot drive unit, a malicious actor can download the Double Robot mobile application from the Internet and use it (along with the web services) to take control of the drive unit,” Heiland wrote.

Rapid7 disclosed the holes to Double Robotics prior to disclosing them and the company has issued a patch. In a statement, the company’s CEO, David Cann said that he knows of no compromised sessions with his company’s telepresence robots nor of any sensitive customer data that was exposed as a result of the vulnerabilities.

This is just the latest research pointing to security problems with robot platforms.

In a paper released in February, IOActive researchers Cesar Cerrudo (@cesarcer) and Lucas Apa (@lucasapa) reported 50 cybersecurity vulnerabilities in what they term “robot ecosystem components” for common industrial, business and home robots. Similar to the Rapid7 research, the IOActive researchers discovered that the robots studied failed to use strong authentication controls or encryption to protect sensitive communications to and from the device. Default settings for robots frequently left them vulnerable to tampering, including the use of default passwords that were either “hard coded” (that is: could not be changed) or were difficult to alter.

IOActive also warned that the open source robot framework, the Robot Operating System (or ROS) ROS suffers from many known cybersecurity problems: sending communications as cleartext, weak authentication and authorization schemes, and so on. ROS is used by several robots from different vendors, spreading the insecurity around.

Spread the word!

Comments are closed.