Cynerio Discovers Vulnerabilities to Remotely Control Hospital Robots

Cynerio Discovers Vulnerabilities to Remotely Control Hospital Robots

What You Should Know:

– Cynerio, a provider of healthcare IoT security solutions, announced the discovery, exploitation, and disclosure of five zero-day vulnerabilities collectively known as JekyllBot:5, that affect commonly used robots found in hundreds of hospitals worldwide.

– Vulnerabilities found in Aethon Tug hospital robots could allow attackers to circumvent security and remotely surveil and interact with patients, obstruct medication distribution, and disrupt day-to-day hospital operations. 


JekyllBot:5 Vulnerabilities for Aethon TUG Autonomous Robots

Aethon TUG smart autonomous robots are designed to handle healthcare-related tasks such as distributing medication, cleaning, and transporting hospital supplies. The robots leverage radio waves, sensors, cameras and other technology to open doors, take elevators and travel throughout hospitals unassisted without bumping into people and objects. However, the technology that enables the robots to independently move around the hospital are what make their vulnerabilities so dangerous in the hands of a potential attacker.

The JekyllBot:5 vulnerabilities were discovered by the Cynerio Live research team and reside in the TUG Homebase Server’s JavaScript and API implementation, as well as a WebSocket that relied on absolute trust between the server and the robots to relay commands to them. Some of the more severe attack scenarios at risk by potentially exploiting these vulnerabilities, which ranked as high as a 9.8 CVE score, include:

– Disrupting or impeding the timely delivery of patient medications and lab samples essential for optimal patient care

– Interfering with critical or time-sensitive patient care and operations by shutting down or obstructing hospital elevators and door locking systems

– Monitoring or taking videos and pictures of vulnerable patients, staff, and hospital interiors, as well as sensitive patient medical records

– Controlling all physical capabilities and locations of the robots to allow access to restricted areas, interaction with patients or crashing into staff, visitors and equipment

– Hijacking legitimate administrative user sessions in the robots’ online portal and injecting malware through their browser to perpetrate further cyberattacks on IT and security team members at healthcare facilities.

Mitigation Details

The JekyllBot:5 vulnerabilities have been mitigated by the device manufacturer following Cynerio’s disclosure of the risks through the CISA Coordinated Vulnerability Disclosure process. Several patches have been applied to the robot fleets at each Aethon customer hospital, including one major patch that required replacing firmware and an operating system update for robots at some hospitals. In addition, Aethon was able to update the firewalls at particular hospitals known to have vulnerable robots so that public access to the robots through the hospitals’ IP addresses was prevented as the fixes were rolled out.

“These zero-day vulnerabilities required a very low skill set for exploitation, no special privileges, and no user interaction to be successfully leveraged in an attack, “ said Asher Brass, lead researcher on the JekyllBot:5 vulnerabilities and Head of Cyber Network Analysis at Cynerio. “If attackers were able to exploit JekyllBot:5, they could have completely taken over system control, gained access to real-time camera feeds and device data, and wreaked havoc and destruction at hospitals using the robots.”