McAfee finds security risk with robots in care homes
A personal robot used in care homes for the elderly was recently found to be at risk of attack by hackers.
Security software company McAfee found that virtual assistant temi had vulnerabilities they were able to exploit, including intercepting calls, gaining video access, and even controlling the device remotely without the need for authentication.
temi was launched in early 2019, billed as the world's first cost effective robot, aimed at both business and personal use. The 4-foot-tall robot uses Android software and connects via wifi and bluetooth. It was recently introduced into healthcare facilities and care homes for the elderly, largely to help keep residents connected to family and friends through teleconferencing while visiting has been restricted due to Covid-19.
But when McAfee's Advanced Threat Research department decided to take a close look at temi, they found that the functions that make it such a highly connected device made it a target for malicious attacks.
The McAfee team spent several months analysing the robot's functions, making video calls, marking key locations, and doing more in-depth work like looking at what open network ports the robot exposed and activating an Android debugger.
They found that by making a few changes to the original Android app, phone calls could be easily intercepted. Another few changes and the robot could be manipulated to move around and activate its camera and microphone. To do this, the only information a hacker would need is a telephone number.
This could have very serious consequences in clinical settings. Writing on McAfee's blog, Principal Engineer Douglas McKee said: "With the phone number of anyone who has called a temi recently, a hacker could observe what room number and condition a hospitalised member of congress is in. Temi could watch the security guard type in the building alarm code. Temi could observe the dog pictures on the nurse’s desk labeled with its cute name and birthday, that just happens to also be part of their password."
Inkeeping with their responsible disclosure policy, McAfee contacted temi once they'd confirmed these vulnerabilities. The two organisations have since been working together to improve the security of the robot, and after thorough testing have reported these have been resolved.
"It is always exciting to see the positive impact security research can have when responsible disclosure is valued by vendor and researchers alike" McKee said.