Connect with us

Hi, what are you looking for?


IoT Security

Flaws Open Telepresence Robots to Prying Eyes

Vulnerabilities in telepresence robots could provide an attacker not only with command execution capabilities, but also with access to a live video stream from the device, Zingbox reports.

Vulnerabilities in telepresence robots could provide an attacker not only with command execution capabilities, but also with access to a live video stream from the device, Zingbox reports.

The healthcare IoT analytics platform provider has analyzed the VGo telepresence robot from Vecna. Nicknamed “Celia,” it has an XMPP chat client that supports voice and video communication over the VGoNet Cloud Network.

When a call is connected, the caller, whose face is displayed on the device’s screen, can control the robot using the client interface. In addition to voice calls and video streaming, the robot can speak text messages, move around at different speeds, take pictures, and recognize speech.VGo telepresence robots are affected by vulnerabilities

During its assessment of the device, Zingbox discovered five vulnerabilities that it reported to the manufacturer via ICS-CERT. These include issues usually found in IoT devices, such as insufficiently protected credentials and the transmission of sensitive information in cleartext.

One of the most important issues discovered in the device was the fact that firmware updates were being delivered over HTTP. Tracked as CVE-2018-8860, the vulnerability could allow an attacker sniffing the network to intercept the update.

Next, the attacker could use various tools to peek inside the intercepted firmware and find weaknesses they could target to compromise the robot. The Zingbox security researchers did find such an issue in the form of a CGI script that was not supposed to be included on production, being a development tool.

“It could run limited commands on the robot, probably for diagnostics, such as those to view running processes, view logs, reboot the robot, and see network connections,” the researchers explain in a report (PDF).

Tracked as CVE-2018-8866, the next vulnerability consists of most of the GET parameters of the CGI being vulnerable to command injection, due to the lack of input validation. This provided the researchers with arbitrary command execution capabilities.

Advertisement. Scroll to continue reading.

Because the CGI script runs with root privileges, the researchers could also gain unauthorized root access to the robot. Leveraging such privileges, an attacker could then abuse the robot to target other systems located in the same network segment.

Code execution could also be achieved with physical access to the USB slot located in the back of the robot. An attacker with a USB stick containing a file with the name startup.script inside a config folder in the root partition could gain code execution by simply plugging in the device into the port and rebooting the robot.

Once inside the robot, the researchers also discovered that Wi-Fi and robot XMPP credentials were stored in plain text (CVE-2018-8858). Armed with the Wi-Fi credentials, an attacker could then start attacking other assets on the network.

The security researchers also discovered chat information in log files, thus being able to read and steal text messages sent between the conversation partners. With the pictures taken by the robot being temporarily stored locally in the robot’s file system, an attacker who already has access to the robot can also retrieve those when they are created.

Moreover, an attacker “can capture live video streaming remotely and start watching the victims live,” the researchers warn.

The vendor has released an update that patches the vulnerabilities. Automatic updates are enabled by default.

Related: IoT Category Added to Pwn2Own Hacking Contest

Related: Addressing IoT Device Security Head-on

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.