A Japanese travel company has apologized after failing to prevent hackers from being able to spy on hotel guests in bed via in-room robots.
A vulnerability in 100 bed-facing Tapia robots used in the Henn na Hotel Maihama Tokyo Bay meant that hackers could watch and listen to what guests got up to in bed.
The hotel, which is owned by H.I.S. Group, is famous for being staffed by androids. Guests can be checked in by a chatty dinosaur robot or ultra-polite humanoid reception bot on arrival. Hotel rooms are unlocked using facial recognition technology, and inside each room is a bed-side bot that acts as a virtual assistant.
A security researcher claimed on Twitter that he had warned the H.I.S. Group back in July that the bedroom robots were hackable. According to the researcher, the bots have unsigned code, which means that a user can tap an NFC tag to the back of the robot's head and allow access via whatever streaming app they choose.
By exploiting this vulnerability, anyone with access to the hotel room can use the robot's cameras and microphones to spy on guests.
The researcher publicly announced the hack on October 13 after allegedly receiving no response from the hotel group.
Japanese newspaper the Tokyo Reporter said that H.I.S. Group has apologized for ignoring warnings that the in-room robots posed a massive privacy and security risk.
According to the newspaper, the company had decided that the chance of hackers gaining unauthorized access to the bots was too low to merit any action. The robots have now been updated and are no longer vulnerable.
H.I.S. Group said on Twitter: "We apologize for any uneasiness caused."
Thomas Hatch, CTO and co-founder at SaltStack, a provider of intelligent IT automation software, commented: "This is a situation where the general populace is being violated in unsuspected ways because of the rampant introduction of centrally managed devices, like robots, TVs, toys and more.
"We end up in a situation that is new to humanity, one where we are monitored more aggressively than our predecessors imagined, and not by central authorities but by criminals."
Hatch predicted incidents of this nature will become increasingly common. He then said: "Even large companies with large resources are struggling to keep up with securing their assets, let alone smaller companies that are pushing these devices out to the world. Many smaller companies lack the proclivity or motivation to secure such devices."