Follow Up on Disclosure of Non-Critical Security Issue & Mitigation

March 13, 2017

To our customers,

On Friday, our CEO, David, sent an email disclosing a non-critical security issue and mitigation. We'd like to take the opportunity to further explain what was discovered and the steps we took following.

Rapid7 identified three potential security vulnerabilities: unauthenticated access to data, static user session management, and open Bluetooth pairing. We patched the first two as outlined below, but do not have plans to change the third. Please see below for full explanations.

1. Unauthenticated access to data: The accessible data included the robot nickname, serial number, latitude, and longitude. No other personally identifiable data was accessible – not username, email, company, password, or anything else. The initial bug report sounded worse than it was because of terms like "device installation_keys", but those are meaningless identifiers used in our system that could be published publicly without risk. Nevertheless, this data leak was patched within seven days upon Rapid7 bringing this to our attention.

2. Static user session management: There was no data leak on this one. This is simply used to keep a user logged in, similar to how users are always logged in to the Twitter and Facebook apps on their phones. As the initial bug report states, this could only be exploited by a man-in-the-middle attack, but we use industry standard TLS encryption to prevent this. We've implemented cycling of these session IDs to meet the high security requirements of our enterprise customers.

Regarding the open Bluetooth pairing question, Double is always connected to the iPad via Bluetooth and the iPad is always on and receiving charge from the base, so the connection cannot be hijacked or intercepted. The Bluetooth connection is also a very short range, so an attacker would need to be within 30-50 feet of Double (i.e. already have access to the facility) and catch it in a moment when both the iPad's battery has died, yet the robot base still has some battery left. There is also no microphone or camera accessible through Double's Bluetooth connection, so the attacker wouldn't have access to any communications. Because of this extremely low risk, we do not see the need for a pairing code.

No calls were compromised and no sensitive customer data was exposed. Double uses end-to-end encryption with WebRTC for low latency, secure video calls.

We take security very seriously and strive to make your telepresence experience with Double the very best. Please feel free to reach out to us if you have any further questions.


The Team at Double