R7-2017-01: Multiple Vulnerabilities in Double Robotics
March 13, 2017
This post describes three vulnerabilities in the Double Robotics Telepresence Robot ecosystem related to improper authentication, session fixation, and weak Bluetooth pairing. We would like to thank Double Robotics for their prompt acknowledgement of the vulnerabilities, and in addressing the ones that they considered serious. Two of the three vulnerabilities were patched via updates to Double Robotics servers on Mon, Jan 16, 2017.
The Double Telepresence Robot is a mobile conferencing device. Its mobility allows the remote user to roam around an office for meetings and face-to-face conversations.
From Double Robotics' co-founder and CEO, David Cann:
Summary of Vulnerabilities
Vulnerability Details and Mitigations
R7-2017-01.1: Unauthenticated access to data
In the following example, critical information related to a session was accessed using the URL “https://api.doublerobotics.com/api/v1/session/?limit=1&offset=xxxxxxx&format=jso n” By incrementing the "offset=" number, information for all historical and current sessions could be enumerated:
In the next example, robot and user installation keys were enumerated by incrementing the "offset=" number in the URL https://api.doublerobotics.com/api/v1/installation/?limit=1&offset=xxxxxxx&forma t=json as shown below:
On Mon, Jan 16, 2017, Double deployed a server patch to mitigate this issue.
R7-2017-01.2: Static user session management
Although the driver_token is a complex, unique, 40-character token (and so unlikely to be guessed), it can still be enumerated by anyone who has access to the Double Robot iPad or is successful in creating an SSL man-in-the-middle attack against the device. For example, via a successful man-in-the middle attack or access to the robot iPad's cache.db file, a malicious actor could identify the robot_key as shown below:
Using this robot_key, an unauthenticated user could enumerate all of the user access tokens (driver_tokens) which allow remote control access of the robot. An example of this enumeration method is shown below:
On Mon, Jan 16, 2017, Double Robotics deployed a server patch to mitigate this issue. The API queries described above no longer expose related session tokens to the Double device.
R7-2017-01.3: Weak Bluetooth pairing
The exposure of this vulnerability is limited since the unit can only be paired with one control application at a time. In addition, the malicious actor must be close enough to establish a Bluetooth connection. This distance can be significant (up to 1 mile) with the addition of a high-gain antenna.
On Mon, Jan 16, 2017, Double Robotics indicated it did not see this as a significant security vulnerability, and that it does not currently plan to patch. Users should ensure that the driver assembly remains paired to the control iPad to avoid exposure.
This vulnerability advisory was prepared in accordance with Rapid7's disclosure policy.