Japan’s famous Henn na Hotel—the one known for quirky antics like dinosaur receptionists and robot staff “layoffs”—says there was “very little risk” that its guests could’ve been spied on via one of its bedside robots. No biggie.
The hotel chain admitted on its website last week that it recently pulled, updated, and reinstalled the 100 egg-shaped Tapia robots included in rooms at its location near the Tokyo Disney Resort (Google translation here). According to the hotel, as well as a story by the Tokyo Reporter, the chain was contacted in July by security engineer Lance R. Vick about an NFC-related vulnerability. The hotel didn’t respond, and so Vick tweeted it out after 90 days, warning that the bedside robots “can be converted to offer anyone remote camera/mic access to all future guests.” Lovely.
It has been a week, so I am dropping an 0day.
The bed facing Tapia robot deployed at the famous Robot Hotels in Japan can be converted to offer anyone remote camera/mic access to all future guests.
Unsigned code via NFC behind the head.
Vendor had 90 days. They didn't care. pic.twitter.com/m2z6yLbrzq
— Lance R. Vick (@lrvick) October 12, 2019
The hotel chain released an apology, stating that “as a result of [its] investigation, it was confirmed that no unauthorized applications were installed,” and that “all of the countermeasures against the unauthorized access method . . . have been completed.” (Translations: Google.)
However teeny the risk may have been for guests, this vulnerability—together with the chain’s apparent inaction and indifference—seems good enough reason for travelers to skip the Henn na Hotel entirely. Besides that, according to some reviews for the hotel on TripAdvisor, the robots seem to be entirely useless in practice.