Threat Watch

Telepresence Robot Vulnerabilities

Researchers have discovered five vulnerabilities in Telepresence robots. If combined, these vulnerabilities could allow an attacker to gain full control to the robot allowing them to view live video streams, alter firmware, steal pictures, and steal chat logs. Two out of the five have been patched, while the other three are in the process of being patched. The robots, made by Venca Technologies, are typically found in hospitals. They are used by doctors to communicate with patients, allow sick children to attend a class, and can be used in factories to allow technical inspections. These robots are also used in board rooms around the world, and if they are compromised, can allow an attacker to listen to important meetings and gain access to private information about the company. According to researchers, “Because the robot performs firmware updates over HTTP, an attacker with access to the same network segment where the robot is connected can intercept the update.” The Venca developers left a developer tool active on the robots that allow the robots to be vulnerable to a “trove” of attacks. The tool is a CGI script that allows an attacker to execute commands with root privileges.