UMBC AgentWeb
[an error occurred while processing this directive]

AIBO Authentication Algorithm Corruption Vulnerability

To: BugTraq
Subject: CERT Advisory CA-2000-69
Date: Mon Jul 10 2000 04:00:16
Author: Jamie Rishaw
Message-ID: <>

CERT Advisory CA-2000-69
AIBO Authentication Algorithm Corruption Vulnerability 

   Original Release Date: July 10, 2000
   Last Revised: --
   Source: CERT/CC

   A complete revision history is at the end of this file.

Systems affected

   * AIBO ERS-110 Aperios OS
   * AIBO ERS-111 Aperios OS


   A vulnerability involving the Visual authentication algorithm has
   recently been identified in the Sony, Inc. "AIBO" Entertainment
   Robot.  Owners of AIBO Robots are encouraged to upgrade their
   Aperios DogOS soon as possible.

   The AttackBite() control has a serious vulnerability that allows
   remote intruders within earshot of AIBO to execute arbitrary code.
   Scripts are proliferating the Internet with new routines such as
   PeeOnRug(), ShoeChew(), KillTheCat() and AttackOwnersGenitals().
   The latter, classified by CERT as a "Denial of Service" attack, is
   most vicious, and for this reason CERT encourages immediate patch
   implementation.  Some common cicrumstances under which this
   vulnerability can be exploited are addressed by the Sony patch;
   others are not.

I. Description

   There are at least three distinct vulnerabilities in the ERS-110
   and ERS-111 implementation of the Aperios software.  All of these
   vulnerabilities may be exploited to effect Quicker-Picker-Upper and
   Owner Discomfort attacks with varying degrees of severity.  Owners
   are advised, until patch completion, to guard themselves, and to
   have extra paper towels on hand.

   - The AIBO Sound Controller, when configured to play Britney
   Spears' "Oops, I Did It Again," will cause AIBO to lift a hind leg
   and spontaneously leak battery juice on the floor, simulating a
   urination (female ERS-110 models "squat" during this exploit).

   - The buffer used to hold the variable MyOwner in the function
   process_face() can be overflowed, reverting AIBO into experimental
   AiboPitBull code.  When combined with the Sound Controller's
   Performance Mode signal, unpatched AIBO units can receive arbitrary
   code, and multiple reports of owner emasculation have been reported.

   - (Unverified) Owners who accidentally have left their television
   on late at night have reported incidents of AIBO attacking their
   small children and pets within minutes of the airing of "Tom Vu's
   Real Estate Seminar," The Story of A Vietnamese Immigrant's
   rags-to-riches Infomercial.

   - Two reports have been submitted where a race condition involving
   Tom Vu's Real Estate Seminar and presence of Richard Simmons'
   "Farewell to Fat" have caused AIBO units to "die".  We are still
   investigating this.

II. Impact

   Depending on the version of AIBO, the environment in which it is
   running, and the particular vulnerability that is exploited, a
   remote attacker can cause one or more of the following:

   - The AIBO to attack its owner,
   - The AIBO to wake, walk off its base station and attack
   - The AIBO to generate Cyber-Body-Fluid and/or Excretion, and/or
   - The AIBO to die.

III. Solution

   Upgrade your version of AIBO Aperios DogOS

  If you are running vulnerable Aperios and cannot upgrade, you are
strongly advised to remove the battery from AIBO's behind and contact
Sony for more assistance.

Appendix A. Vendor Information

Sony, Inc.

  Please see

Richard Simmons

  Please see


   The CERT Coordination Center thanks your Mom and Eva Peron for
   help in developing this advisory.

   Author: Jamie Rishaw 

   This document is available from:

   (This is a spoof, if you haven't gotten it by now)

CERT/CC Contact Information

          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) /
   EDT(GMT-4) Monday through Friday; they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We strongly urge you to encrypt sensitive information sent by
   email.  Our public PGP key is available from

   If you prefer to use DES, please call the CERT hotline for more

Getting security information

   CERT publications and other security information are available from
   our web site

   To be added to our mailing list for advisories and bulletins, send
   email to and include SUBSCRIBE
   your-email-address in the subject of your message.

   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   * "CERT" and "CERT Coordination Center" had absolutely nothing to
   do with this advisory, and do not support it.  It's a parody.

   NO WARRANTY Any material furnished by Carnegie Mellon University
   and the Software Engineering Institute is furnished on an "as is"
   basis. Carnegie Mellon University makes no warranties of any kind,
   either expressed or implied as to any matter including, but not
   limited to, warranty of fitness for a particular purpose or
   merchantability, exclusivity or results obtained from use of the
   material. Carnegie Mellon University does not make any warranty of
   any kind with respect to freedom from patent, trademark, or
   copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

Revision History
July 10, 2000: Initial Release

Edited by Tim Finin & Yannis Labrou of UMBC ebiquity and the UMBC Computer Science and Electrical Engineering Department. Comments to Hits in red Who points to it? shows inverse links. Built by bk2site.