The True Companion company markets for the last few years the first robot to have sex with: Roxxxy. Unfortunately it is not possible to find too much information about the technical features of the robot on the company website, but with the available information a few conclusions can be drawn, so I thought it would be fun to do a post about possible attack vectors.
Disclaimer: everything described here is based on information obtained from the company website and my imagination, no attack has been tested in real (yet) because I do not have this robot, but if any reader wants to send me a pair of robots to make reverse engineering, I will be happy to inform you first of all the 0day I find đ
You can choose different customizable versions: hair color, personality (up to 5 profiles that you can customize even more!), and according to the model it/she can even talk, have some understanding and respond to touch. These features make me think that the robot must have different types of sensors and microprocessors. Also it has USB port, Ethernet and Wi-fi so it also has the ability to communicate (can receive updates via the Internet). The USB must be connected to a Windows computer so that the robot can talk to us.
An interesting concept is that we can give our custom robot personality to other users registered at the company Forum (aka Swingers for robots) temporarily, this means that the robot can replace its personality for a limited time with another one created by other users.
Now with this information, we propose different theoretical/fictitious attack scenarios:
1. The robot could bring from manufacture some malware implant to compromise the user computer via USB.
2. It could include a malicious AP, Wifi Pineapple style, inside the robot to carry out further attacks on the network/systems.
3. An attacker could steal the robot profile (personality) to resell it to the customer (Ransomware).
4. An attacker could modify the internal engines of the robot to do damage to the customer when “having sex” (although I doubt that the robot has sufficiently powerful engines in the current version).
5. Nothing is said of the sight (vision) of the robot, but if does have it, you could use the cameras to spy on the user (Hello, NSA!)
6. Also the robot could be used to record the voice of the customer.
7. And, with all this information, blackmail the customer to not make public their sexual tastes/tendencies.
8. An attacker could send a malicious personality to the forum so victims install it on their robots with different purposes.
We talk much about the risks to critical infrastructure, the Cloud, Big Data and the Internet of Things (IoT), but in the coming years the security and risks of robots will become more relevant when they are more and more present in our personal and professional lives…
What additional attacks can you think of? đ
— Simon Roses Femerling / @simonroses