JekyllBot:5 Vulnerabilities Impact Mobile Robot Used in Healthcare

April 12, 2022 - Aethon TUG smart autonomous mobile robots may be impacted by five newly discovered critical zero-day vulnerabilities found by researchers at Cynerio. The vulnerabilities, dubbed JeckyllBot:5, could allow hackers to remotely control the robots, which are used frequently in healthcare settings.Aethon already applied multiple patches to the robots to prevent malicious activity. Hospitals that use the robots should ensure that their devices were patched with the latest firmware version.

It is important to note that the majority of threat actors are financially motivated and have no incentive to harm patients or disrupt hospital operations. However, threat actors may see vulnerable connected devices as an easy network entry point from which they can access critical data and hold it for ransom or obtain user credentials.

Healthcare organizations should maintain strict security standards and prioritize securing all internet-connected devices, which often rely on legacy systems.

The Aethon TUG robot performs simple manual labor tasks and delivers hospital supplies and medications. The robots use radio waves, cameras, motion sensors, and network-interface panels that allow them to go up and down elevators and avoid bumping into things. The robots communicate over Wi-Fi.

Cynerio Live researchers discovered the vulnerabilities as they were carrying out a deployment for a customer hospital.

“Late last year, a Cynerio Live researcher detected anomalous network traffic that seemed to be related to the elevator and door sensors,” the report explained.

“That in turn led to an investigation that revealed a connection from the elevator to a server with an open HTTP port, which then gave the researcher access to a company web portal with information about the Aethon TUG robots’ current status, hospital layout maps, and pictures and video of what the robots were seeing.”

Further investigation revealed that some HTML vulnerabilities on the Aethon TUG web portal page had allowed an attacker to insert malicious javascript code on the requester’s browser when they logged in.

“This would allow attackers the ability to inject malware on any computer seeking to obtain data about Aethon TUG robots,” the report said.

Luckily, the hospital did not have its TUG robots connected to the internet. But Cynerio found several hospitals around the US that had enabled internet connection on the devices, making them exploitable remotely.

Cynerio notified the impacted hospitals and worked with Aethon to guarantee that the latest firmware version contained patches for each vulnerability.

The most severe of the five vulnerabilities, CVE-2022-1070, had a CVSS score of 9.8 out of 10 and involved the product failing to verify the identity of actors at either end of a communication channel.

Another vulnerability, CVE-2022-1066, could allow an attacker to add and delete users and modify administrative privileges.

The vulnerabilities point to a need for an industry-wide push toward IoT and medical device security.

“Identifying and addressing risks and attacks on healthcare IoT needs to be the focus of any strategy meant to curb attacks on this growing threat vector. Unfortunately, too many established approaches for healthcare IoT security use inventory as their central focus and won’t advance on remediating risk or attacks until months or even years into a deployment, or not at all,” Cynerio suggested.

“As the dependency on these healthcare IoT devices and their volume exponentially grows, hospitals will need solutions that treat those devices in much the same way that IT security does, with proactive mitigation of their risks and immediate protective actions for any detected attacks or malicious activity. Any less is a disservice to patients and the devices they depend on for optimal healthcare outcomes.”