JekyllBot:5 Vulnerabilities Allow Hackers to Take Control of Aethon TUG Hospital Robots

Share this article on:

Five zero-day vulnerabilities have been identified in Aethon TUG autonomous mobile robots, which are used in hospitals worldwide for transporting goods, medicines, and other medical supplies. Hospital robots are attractive targets for hackers. If access to the robots is gained, a variety of malicious actions could be performed.

Attackers could trigger a denial-of-service condition to disrupt hospital operations for extortion, and since sensitive patient data is fed into the devices, exploitation of the vulnerabilities could provide hackers with access to patient data. The robots are given privileged access to restricted areas within healthcare facilities, which would not normally be accessible to unauthorized individuals. The robots can open doors and access elevators, and could be used to block access, shut down elevators, or bump into staff and patients. Since the robots have integrated cameras, they could be hijacked and used for surveillance. The robots could also potentially be hijacked and used to deliver malware or could serve as a launchpad for more extensive cyberattacks on hospital networks.

The vulnerabilities, which are collectively named JekyllBot:5, were identified by Asher Brass and Daniel Brodie of the healthcare IoT security firm Cynerio. The researchers said the vulnerabilities require a low level of skill to exploit, can be exploited remotely if the system is connected to the Internet, and exploitation of the vulnerabilities does not require any special privileges.

One of the vulnerabilities is rated critical with a CVSS severity score of 9.8 out of 10 and the other four are all high-severity issues with CVSS scores between 7.6 and 8.2. The most serious vulnerability, tracked as CVE-2022-1070, could be exploited by an unauthenticated attacker to access the TUG Home Base Server websocket, which would allow the attacker to cause a denial-of-service condition, gain access to sensitive information, and take full control of TUG robots.

Two of the vulnerabilities – CVE-2022-1066 and CVE-2022-26423 – are due to missing authentication and have been given CVSS scores of 8.2. The first vulnerability can be exploited by an unauthenticated attacker and allows new users to be created with administrative privileges and allows existing users to be modified or deleted. The second vulnerability allows an unauthenticated attacker to freely access hashed user credentials.

The remaining two vulnerabilities – CVE-2022-1070 and CVE-2022-1059 – make the Fleet Management Console vulnerable to cross-site scripting attacks. Both flaws have been given a CVSS score of 7.6.

“The worst-case scenario is a total disruption of critical care and violation of patient privacy, and JekyllBot:5 would give attackers the means to compromise security in ways they would not otherwise be able to, especially in terms of physical security,” said Brodie.

The researchers notified Aethon and CISA about the vulnerabilities. Aethon has patched the vulnerabilities via a new firmware release – version 24. All versions of the firmware prior to version 24 are at risk of exploitation of the JekyllBot:5 vulnerabilities.

Further steps can also be taken to minimize the risk of the exploitation of vulnerabilities. CISA recommends not exposing control system devices and systems to the Internet, locating all control systems behind firewalls, and isolating systems such as TUG Home Base Server from business networks. If remote access is necessary, Virtual Private Networks should be required for access and VPNs should be kept up to date and always be running the latest software version.

“Hospitals need solutions that go beyond mere healthcare IoT device inventory checks to proactively mitigate risks and apply immediate remediation for any detected attacks or malicious activity,” said Leon Lerman, founder and CEO of Cynerio. “Any less is a disservice to patients and the devices they depend on for optimal healthcare outcomes.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On