Rapid7 discovers three flaws in Double 2 telepresence robots Credit: Ted Eytan You know the telepresence robots that roll around offices with a camera, microphone and iPad attached in order to give remote users a way to participate “face-to-face” in meetings? It would be trippy if an attacker were able to take control of such a robot, but also entirely possible. Today, Rapid7 revealed three security flaws it discovered in the mobile conferencing device Double Telepresence Robot.Rapid7 researcher Deral Heiland discovered three vulnerabilities: unauthenticated access to data, static user session management, and weak Bluetooth pairing. Two of three vulnerabilities disclosed to Double Robotics were patched in January, a really quick response considering the fixes were deployed about a week after the flaws were disclosed to the company.Unauthenticated access to dataRegarding unauthenticated access to data, Rapid7 explained, “An unauthenticated user could gain access to Double 2 device information, including device serial numbers, current and historical driver and robot session information, device installation_keys, and GPS coordinates.”Two examples exploiting the flaws included using the URL to obtain critical session information, as well as robot and user installation keys. Double Robotics deployed a server patch to mitigate the issue Jan. 16, 2017.Static user session managementHeiland also found that “the access token (also referred to as the driver_token), which is created during account assignment to a Robot, was never changed or expired. If this token was compromised, it could be used to take control of a robot without a user account or password.” Rapid7 explained that despite the complexity of the 40-character access token, “it can still be enumerated by anyone who has access to the Double Robot iPad or is successful in creating an SSL man-in-the-middle attack against the device.” By gaining access to user access tokens, an attacker could take remote control access of the robots.Double Robotics deployed a server patch to resolve this flaw on the same day in January when it issued one for the unauthenticated access vulnerability. The vulnerabilities were disclosed to Double Robotics on Jan. 9 and patched on Jan. 16.Weak Bluetooth pairingAs for the weak Bluetooth pairing vulnerability, Rapid7 wrote, “The pairing process between the mobile application (iPad) and robot drive unit does not require the user to know the challenge PIN. Once paired with the robot drive unit, a malicious actor can download the Double Robot mobile application from the Internet and use it (along with the web services) to take control of the drive unit.”The exposure of this flaw was described as “limited, since the unit can only be paired with one control application at a time. In addition, the malicious actor must be close enough to establish a Bluetooth connection. This distance can be significant (up to 1 mile) with the addition of a high-gain antenna.”Double Robotics doesn’t believe this to be “a significant security vulnerability” and, therefore, doesn’t intend to patch.Double Robotics said, “Before the patches were implemented, no calls were compromised and no sensitive customer data was exposed. In addition, Double uses end-to-end encryption with WebRTC for low latency, secure video calls.” Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe