CERT Advisory CA-2000-69 AIBO Authentication Algorithm Corruption Vulnerability Original Release Date: July 10, 2000 Last Revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems affected * AIBO ERS-110 Aperios OS * AIBO ERS-111 Aperios OS Overview A vulnerability involving the Visual authentication algorithm has recently been identified in the Sony, Inc. "AIBO" Entertainment Robot. Owners of AIBO Robots are encouraged to upgrade their Aperios DogOS soon as possible. The AttackBite() control has a serious vulnerability that allows remote intruders within earshot of AIBO to execute arbitrary code. Scripts are proliferating the Internet with new routines such as PeeOnRug(), ShoeChew(), KillTheCat() and AttackOwnersGenitals(). The latter, classified by CERT as a "Denial of Service" attack, is most vicious, and for this reason CERT encourages immediate patch implementation. Some common cicrumstances under which this vulnerability can be exploited are addressed by the Sony patch; others are not. I. Description There are at least three distinct vulnerabilities in the ERS-110 and ERS-111 implementation of the Aperios software. All of these vulnerabilities may be exploited to effect Quicker-Picker-Upper and Owner Discomfort attacks with varying degrees of severity. Owners are advised, until patch completion, to guard themselves, and to have extra paper towels on hand. - The AIBO Sound Controller, when configured to play Britney Spears' "Oops, I Did It Again," will cause AIBO to lift a hind leg and spontaneously leak battery juice on the floor, simulating a urination (female ERS-110 models "squat" during this exploit). - The buffer used to hold the variable MyOwner in the function process_face() can be overflowed, reverting AIBO into experimental AiboPitBull code. When combined with the Sound Controller's Performance Mode signal, unpatched AIBO units can receive arbitrary code, and multiple reports of owner emasculation have been reported. - (Unverified) Owners who accidentally have left their television on late at night have reported incidents of AIBO attacking their small children and pets within minutes of the airing of "Tom Vu's Real Estate Seminar," The Story of A Vietnamese Immigrant's rags-to-riches Infomercial. - Two reports have been submitted where a race condition involving Tom Vu's Real Estate Seminar and presence of Richard Simmons' "Farewell to Fat" have caused AIBO units to "die". We are still investigating this. II. Impact Depending on the version of AIBO, the environment in which it is running, and the particular vulnerability that is exploited, a remote attacker can cause one or more of the following: - The AIBO to attack its owner, - The AIBO to wake, walk off its base station and attack children/pets, - The AIBO to generate Cyber-Body-Fluid and/or Excretion, and/or - The AIBO to die. III. Solution Upgrade your version of AIBO Aperios DogOS If you are running vulnerable Aperios and cannot upgrade, you are strongly advised to remove the battery from AIBO's behind and contact Sony for more assistance. Appendix A. Vendor Information Sony, Inc. Please see http://www.world.sony.com/robot/aperios_vuln.htm Richard Simmons Please see http://www.richardsimmons.com/shop/info.idc?id=08-00164 _________________________________________________________________ The CERT Coordination Center thanks your Mom and Eva Peron for their help in developing this advisory. _________________________________________________________________ Author: Jamie Rishaw <jamie@arpa.com> _________________________________________________________________ This document is available from: http://arpa.com/advisories/CERT-2000-69.html _________________________________________________________________ (This is a spoof, if you haven't gotten it by now) _________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. * "CERT" and "CERT Coordination Center" had absolutely nothing to do with this advisory, and do not support it. It's a parody. NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Revision History July 10, 2000: Initial Release