There’s a hotel near Nagasaki, Japan, which is staffed by robots.
You can choose to be checked in to your room at the Henn na Hotel either by a robot in the shape of a dinosaur or a blank-faced fembot, because… well, Japan.
As The Register describes, once you make it up to the room and unlock the door through facial recognition (what happens if there’s a power cut?) all your other requirements are handled by a bedside robot.
If it sounds bonkers that’s because it is bonkers and – you may not be surprised to hear – not entirely popular with guests.
In fact, in January this year it was reported that the hotel was halving its robotic workforce in half as many of them were better at creating work for human than reducing it:
“The Henn na Hotel in Japan, translated as Strange Hotel, found that robots annoyed the guests and would often break down. Guests complained their robot room assistants thought snoring sounds were commands and would wake them up repeatedly during the night. Meanwhile, the robot at the front desk could not answer basic questions. Human staff ended up working overtime to repair robots that stopped working.”
Who would have imagined that dinosaurs wouldn’t make the perfect hotel receptionist?
Anyway, it turns out that the hotel’s problems haven’t ended there.
Security researcher Lance R Vick has revealed that back in July he informed the HIS Group that runs the Hen Na Hotel that the bedside robots found in each room can be easily hacked to allow anyone to remotely spy on guests.
It has been a week, so I am dropping an 0day.
The bed facing Tapia robot deployed at the famous Robot Hotels in Japan can be converted to offer anyone remote camera/mic access to all future guests.
Unsigned code via NFC behind the head.
Vendor had 90 days. They didn't care. pic.twitter.com/m2z6yLbrzq
— Lance R. Vick (@lrvick) October 12, 2019
According to Vick, “unsigned code” on the bed-facing bots allows a user to tap an NFC tag on the back of its head, and grant access via a streaming app of their own choosing.
Having not received any response from the hotel chain, Vick decided to publicly reveal details of his hack in the hope that media attention would stir the company into action and warn unsuspecting hotel guests that their nocturnal activities might be snooped upon.
Vick even went so far as to pay for a promoted tweet to spread word of the flaw, frustrated that the news may not spread far enough.
Since they didn't offer a bug bounty or decide to fix it I figured I don't mind spending $$ out of pocket to get the public shaming to spread further.
I want to maximize the PR hit they take for this, so companies think harder about ignoring these issues.
— Lance R. Vick (@lrvick) October 12, 2019
His tactic seems to have worked. Local media reports claim that HIS Group has now acknowledged that a flaw exists and is taking steps to resolve the issue.
Maybe privacy-conscious guests would be wise to not place too much trust in gizmo-obsessed hotels, and if they do find themselves booked into such a bonkers hotel room unplug any unnecessary robot gadgets.