Temi's interactive assistance robots are remotely exploitable with little more than a phone number.

On Thursday at Black Hat USA, McAfee's Advanced Threat Research (ATR) team disclosed new research into the robots, in which remotely-exploitable vulnerabilities were uncovered, potentially leading to mobile, audio, and video tampering on the hospital floor.

The robot in question is Robotemi Global's Temi, a "personal robot" that uses a range of sensors, artificial intelligence (AI) and machine learning (ML) technologies, as well as modern voice activation and mobile connectivity to perform functions including personal assistance tasks, answering Internet queries, and facilitating remote video calls.

[...] In total, four vulnerabilities were found, the use of hard-coded credentials, an origin validation error, missing authentication for critical functions, and an authentication bypass. The security issues spotted by McAfee have been assigned CVE-2020-16170, CVE-2020-16168, CVE-2020-16167, and CVE-2020-16169.

"Together, these vulnerabilities could be used by a malicious actor to spy on Temi's video calls, intercept calls intended for another user, and even remotely operate Temi -- all with zero authentication," the researchers say.