Incident Details

Incident: Robot Hotel's Tapia Robots Vulnerable to Remote Spying Hack

Published Date: 2019-10-24

Postmortem Analysis
Timeline	1. The software failure incident at the Japanese hotel chain with robots happened in October 2019 [Article 90414].
System	1. Tapia robots at the Henn na Hotel chain in Japan [90414]
Responsible Organization	1. The owners of the Henn na Hotel chain in Japan were responsible for causing the software failure incident by ignoring warnings that their bedside robots could be hacked [90414].
Impacted Organization	1. Guests staying at the Henn na Hotel chain in Japan were impacted by the software failure incident where the robots could be hacked to spy on them [90414].
Software Causes	1. The software cause of the failure incident was the vulnerability in the Tapia robots at the Henn na Hotel chain in Japan, which allowed for remote camera/mic access to all future guests by placing an NFC sticker behind the robot's head [90414].
Non-software Causes	1. Lack of proper physical security measures: The incident occurred due to a physical vulnerability in the robots that allowed them to be easily hacked by placing a cheap NFC sticker on their heads [90414]. 2. Insufficient vendor response: The vendor did not address the security flaw within the given 90-day period, indicating a lack of prompt action to rectify the issue [90414]. 3. Lack of thorough testing and security checks: The hotel chain may have failed to conduct comprehensive security testing on their robot staff, leading to the oversight of this critical vulnerability [90414].
Impacts	1. The software failure incident allowed anyone to potentially spy on guests in their rooms through the hacked Tapia robots at the Henn na Hotel chain in Japan [90414]. 2. The incident caused uneasiness among guests and the public, leading to an apology from the hotel owners for the security flaw [90414]. 3. The hotel had to take measures to fix the fault in the robots to prevent further unauthorized access to the cameras and microphones [90414]. 4. The reputation of the Henn na Hotel chain, known for its robot staff, was negatively impacted by the incident, adding to previous issues with the automated workforce [90414].
Preventions	1. Implementing a robust security testing process to identify vulnerabilities in the software used in the Tapia robots [90414]. 2. Regularly updating and patching the software in the robots to address any known security flaws [90414]. 3. Conducting thorough security assessments on the NFC technology used in the robots to prevent unauthorized access [90414]. 4. Enforcing a strict vendor response timeline for addressing reported security issues to ensure timely fixes [90414]. 5. Implementing stricter access controls and restrictions on the software running on the Tapia robots to prevent unauthorized activities [90414].
Fixes	1. Implementing a fix for the issue by inspecting the robots for NFC tags [90414].
References	1. Security engineer Lance R. Vick [Article 90414]

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	one_organization	(a) The software failure incident related to the security vulnerability in the robots at the Henn na Hotel chain in Japan has happened again within the same organization. In January, it was reported that the chain culled over half of its automated workforce after repeated problems created more work for the human staff than they solved. This indicates that the hotel has faced software-related issues with its robot staff in the past [90414]. (b) There is no specific information in the provided article about the software failure incident happening at other organizations or with their products and services.
Phase (Design/Operation)	design, operation	(a) The software failure incident in the article is related to the design phase. The incident occurred due to a fault in the design of the Tapia robots at the Henn na Hotel chain in Japan. Security engineer Lance R. Vick discovered that the robots could be hacked by placing a cheap NFC sticker on their heads, allowing him to install recording software on the robots. This design flaw enabled unauthorized access to the camera and microphone inside the robots, potentially allowing anyone to spy on guests [90414]. (b) The software failure incident is also related to the operation phase. The incident was exacerbated by the operation of the Tapia robots in the hotel rooms. The robots, designed to be automated concierges, were misused when a security expert was able to exploit a vulnerability in their design by placing an NFC sticker on their heads. This misuse of the robots allowed for unauthorized access to the guests' privacy, highlighting an operational failure in ensuring the security and privacy of the guests [90414].
Boundary (Internal/External)	within_system	(a) The software failure incident at the Japanese robot hotel chain was within_system. The failure was due to a vulnerability in the Tapia robots themselves, specifically related to how NFC tags could be used to hack into the robots and install recording software, allowing unauthorized access to the camera and microphone [90414]. The issue originated from within the system design and implementation of the robots, leading to the security flaw that could potentially compromise guest privacy.
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident in this case occurred due to non-human actions. The incident was related to a security flaw in the Tapia robots at the Henn na Hotel chain in Japan that allowed anyone to hack into the robots by placing a cheap NFC sticker on their heads. This flaw enabled the installation of recording software on the robots, potentially allowing unauthorized access to guests' rooms and conversations [90414]. The vulnerability was not introduced by human actions but was a result of a design flaw in the robots themselves. (b) Human actions were involved in the response to the software failure incident. The security engineer, Lance R. Vick, discovered the vulnerability in the Tapia robots and exposed it on Twitter, highlighting the potential security risk posed by the flaw [90414]. Additionally, the owners of the Henn na Hotel chain apologized for the incident and stated that they had fixed the fault to address the issue [90414].
Dimension (Hardware/Software)	hardware, software	(a) The software failure incident in the article was related to hardware. The incident occurred due to a vulnerability in the Tapia robots at the Henn na Hotel chain in Japan. Security engineer Lance R. Vick discovered that the robots could be hacked by placing a cheap NFC sticker on their heads, allowing him to install recording software on the robots. This hardware vulnerability enabled unauthorized access to the cameras and microphones inside the robots, potentially compromising guests' privacy [90414]. (b) The software failure incident in the article was also related to software. The vulnerability exploited by Lance R. Vick involved using an NFC sticker to bypass the limitations of the software on the Tapia robots. By imprinting a web address on the NFC sticker, he was able to break out of the software restrictions and gain unrestricted internet access, ultimately installing recording software on the robots. This software flaw allowed for the unauthorized access to the robot's functionalities, leading to the potential spying on guests [90414].
Objective (Malicious/Non-malicious)	malicious	(a) The software failure incident in this case was malicious. The incident involved a security expert, Lance R. Vick, who discovered a vulnerability in the Tapia robots at the Henn na Hotel chain in Japan. By placing a cheap NFC sticker on the robots' heads, he was able to hack into them and install recording software, potentially allowing him to spy on guests by accessing the cameras and microphones remotely. This act was intentional and aimed at exploiting the security flaw for unauthorized surveillance [90414]. (b) The software failure incident was non-malicious in the sense that the hotel owners and the robot manufacturer did not intentionally introduce the vulnerability. However, it was a result of a fault in the design or implementation of the robots, which allowed for unauthorized access and potential spying on guests. The hotel owners apologized for the incident and stated that they had fixed the fault to prevent any further unauthorized access to the robots [90414].
Intent (Poor/Accidental Decisions)	poor_decisions	(a) The intent of the software failure incident was poor_decisions. The incident occurred because the owners of the Japanese robot hotel chain ignored warnings about a security vulnerability in their bedside robots that could be exploited for spying on guests. Despite being informed by security engineer Lance R. Vick about the hackability of the robots, the owners did not take appropriate action within the given 90-day period. This lack of response and negligence on the part of the owners led to the security flaw remaining unaddressed until it was publicly exposed [90414].
Capability (Incompetence/Accidental)	development_incompetence, accidental	(a) The software failure incident in the article was related to development incompetence. The incident occurred because the Tapia robots at the Henn na Hotel chain in Japan could be hacked by placing a simple NFC sticker on their heads, allowing unauthorized access to the camera and microphone inside the robots [90414]. The security expert, Lance R. Vick, highlighted this vulnerability on Twitter, indicating that the vendor had 90 days to address the issue but did not take action, showcasing a lack of professional competence in addressing security vulnerabilities promptly. (b) Additionally, the incident could also be categorized as accidental, as the vulnerability that allowed anyone to spy on guests by hacking the robots was not intentional but rather a flaw that was discovered and exploited accidentally by the security engineer Lance R. Vick [90414].
Duration	temporary	(a) The software failure incident in this case was temporary. The incident occurred due to a specific vulnerability in the Tapia robots at the Henn na Hotel chain in Japan, which allowed anyone to hack into the robots and potentially spy on guests by installing recording software [90414]. The vulnerability was related to the use of NFC stickers that could be placed on the robots' heads to gain unauthorized access to the camera and microphone. The hotel owners acknowledged the fault, apologized for the situation, and stated that they had fixed the issue to prevent further exploitation of the vulnerability.
Behaviour	other	(a) crash: The software failure incident in the article did not involve a crash where the system lost state and did not perform any of its intended functions. The issue was related to a security vulnerability that allowed unauthorized access to the robots' cameras and microphones [90414]. (b) omission: The software failure incident did not involve omission where the system omitted to perform its intended functions at an instance(s). Instead, the issue was related to a security flaw that allowed unauthorized access to the robots' functionalities [90414]. (c) timing: The software failure incident was not related to timing, where the system performed its intended functions correctly but too late or too early. The issue was a security vulnerability that allowed unauthorized access to the robots' cameras and microphones [90414]. (d) value: The software failure incident did not involve a failure due to the system performing its intended functions incorrectly. The issue was related to a security vulnerability that allowed unauthorized access to the robots' functionalities [90414]. (e) byzantine: The software failure incident did not exhibit a byzantine behavior where the system behaved erroneously with inconsistent responses and interactions. The issue was a security vulnerability that allowed unauthorized access to the robots' functionalities [90414]. (f) other: The software failure incident involved a security vulnerability that allowed unauthorized access to the robots' cameras and microphones by exploiting a flaw in the system's design. This unauthorized access could potentially compromise guests' privacy and security [90414].

IoT System Layer

Layer	Option	Rationale
Perception	sensor, embedded_software	(a) The failure was related to the sensor layer of the cyber physical system that failed. Lance R. Vick was able to hack into the Tapia robots at the Henn na Hotel chain in Japan by placing a simple NFC sticker on their heads, which allowed him to download and install recording software. This software would have enabled him to access the camera and microphone inside the Tapia robot from anywhere in the world, indicating a sensor-related vulnerability [90414].
Communication	link_level	The software failure incident reported in Article 90414 was related to the communication layer of the cyber physical system that failed at the link_level. The failure was due to the vulnerability in the Tapia robots at the Henn na Hotel chain in Japan, which allowed unauthorized access to the camera and microphone inside the robots by placing an NFC sticker on their heads. This vulnerability enabled the installation of recording software, granting remote camera/mic access to all future guests, indicating a failure at the link_level of the cyber physical system [90414].
Application	TRUE	The software failure incident reported in the article [90414] was related to the application layer of the cyber physical system. The failure was due to a fault in the bedside droids at the Henn na Hotel chain in Japan, which allowed anyone to hack into the robots by placing a cheap NFC sticker on their heads. This hack enabled the installation of recording software on the robots, granting unauthorized access to guests' rooms and potentially allowing spying on guests through the cameras and microphones inside the Tapia robots. The exploit involved bypassing the limitations of the software on the robots by imprinting a web address on an NFC sticker, thereby breaking out of the restricted access and gaining full control over the device's functionalities [90414].

Other Details

Category	Option	Rationale
Consequence	property, non-human, unknown	(a) unknown (b) unknown (c) unknown (d) People's privacy and security were impacted due to the software failure incident at the Japanese robot hotel chain. The fault in the bedside droids allowed anyone to potentially spy on guests by accessing the camera and microphone inside the Tapia robots [90414]. (e) unknown (f) Non-human entities, specifically the robots at the Henn na Hotel chain in Japan, were impacted by the software failure incident. The Tapia robots could be hacked using a cheap NFC sticker, allowing unauthorized access to the camera and microphone inside the robots [90414]. (g) The hotel owners apologized for the software failure incident and stated that they had fixed the fault. They mentioned that there was no evidence that any guests were actually spied on, indicating that there were no real observed consequences of the software failure in terms of guests being watched [90414]. (h) unknown (i) unknown
Domain	information, entertainment	(a) The failed system in the incident was related to the hospitality industry, specifically the Henn na Hotel chain in Japan where robots were used as bedside droids to assist guests [90414]. The robots were designed to provide information to guests, such as the weather or online shopping options, and act as automated concierges.

Sources

Japanese robot hotel apologises after security expert exposes hacking flaw - Daily Mail - Published on: 2019-10-24
Article ID: 90414

Back to List