Healthcare IoT security solutions provider Cynerio has discovered five zero-day vulnerabilities collectively known as JekyllBot:5, which allow attackers to affect commonly used robots found in hundreds of hospitals worldwide.
Aethon TUG smart autonomous robots are designed to handle healthcare-related tasks such as distributing medication, cleaning, and transporting hospital supplies. The robots leverage radio waves, sensors, cameras and other technology to open doors, take elevators and travel throughout hospitals unassisted without bumping into people and objects. However, the technology that enables the robots to independently move around the hospital are what make their vulnerabilities so dangerous in the hands of a potential attacker.
The JekyllBot:5 vulnerabilities were discovered by the Cynerio Live research team and reside in the TUG Homebase Server’s JavaScript and API implementation, as well as a WebSocket that relied on absolute trust between the server and the robots to relay commands to them. Some of the more severe attack scenarios at risk by potentially exploiting these vulnerabilities, which ranked as high as a 9.8 CVE score, include:
- Disrupting or impeding the timely delivery of patient medications and lab samples essential for optimal patient care
- Interfering with critical or time-sensitive patient care and operations by shutting down or obstructing hospital elevators and door locking systems
- Monitoring or taking videos and pictures of vulnerable patients, staff, and hospital interiors, as well as sensitive patient medical records
- Controlling all physical capabilities and locations of the robots to allow access to restricted areas, interaction with patients or crashing into staff, visitors and equipment
- Hijacking legitimate administrative user sessions in the robots’ online portal and injecting malware through their browser to perpetrate further cyberattacks on IT and security team members at healthcare facilities.
“These zero-day vulnerabilities required a very low skill set for exploitation, no special privileges, and no user interaction to be successfully leveraged in an attack,” says Asher Brass, lead researcher on the JekyllBot:5 vulnerabilities and Head of Cyber Network Analysis at Cynerio. “If attackers were able to exploit JekyllBot:5, they could have completely taken over system control, gained access to real-time camera feeds and device data, and wreaked havoc and destruction at hospitals using the robots.”
The JekyllBot:5 vulnerabilities have been mitigated by the device manufacturer following Cynerio’s disclosure of the risks through the CISA Coordinated Vulnerability Disclosure process. Several patches have been applied to the robot fleets at each Aethon customer hospital, including one major patch that required replacing firmware and an operating system update for robots at some hospitals. In addition, Aethon was able to update the firewalls at particular hospitals known to have vulnerable robots so that public access to the robots through the hospitals’ IP addresses was prevented as the fixes were rolled out.
“Hospitals need solutions that go beyond mere healthcare IoT device inventory checks to proactively mitigate risks and apply immediate remediation for any detected attacks or malicious activity,” says Leon Lerman, founder and CEO of Cynerio. “Any less is a disservice to patients and the devices they depend on for optimal healthcare outcomes.”