Critical vulnerabilities uncovered in hospital robots

Vendor Aethon has patched five critical vulnerabilities in hospital robots used to deliver medical supplies.

The world of health-related cybersecurity issues is still relatively untouched. In recent years, we’ve seen the impact of ransomware outbreaks in hospitals; software vulnerabilities including those that could, in theory, stop a pacemaker from working, and countless patient data leaks at providers worldwide.

However, unless there’s a clear-cut financial benefit, many cyberattackers will ignore medical devices in favor of hitting businesses likely to provide them with illicit revenue.

This doesn’t mean that vendors, or defenders, should ignore vulnerabilities and security issues surrounding medicine, especially as digital health, personalized medicine, and remote care continue to develop.

Medical devices can fall short of adequate security measures, as recently revealed in Cynerio‘s public disclosure of Jekyllbot:5 (.PDF), five critical vulnerabilities in Aethon TUG robots.

Read on: Black Hat: How your pacemaker could become an insider threat to national security

Aethon’s mobile robots are autonomous devices used by hundreds of hospitals to perform basic, repetitive tasks to augment existing workforces.

TUGs run errands including medicine delivery, cleaning, and dropping off linen and other supplies to healthcare professionals. Stanford is a healthcare provider that uses the robots in drug deliveries, which can move at 2mph down pre-determined routes.

According to Cynerio, the five vulnerabilities allow attackers to take over a robot’s activities, including taking photos; snooping on the hospital in real-time via camera feeds, accessing patient records; disrupting or blocking drug delivery, all of which could impact patient care.

In addition, the team says the bugs could be used to hijack user sessions or “take control of the robot’s movement and crash them into people or objects, or use them to harass patients and staff.”

The vulnerabilities, now assigned CVEs, are below:

  • CVE-2022-1066 (CVSS 8.2): Missing authorization checks, allowing unauthenticated attackers to add or modify existing user accounts
  • CVE-2022-26423 (CVSS 8.2): Missing authorization checks, allowing free access to hashed credentials
  • CVE-2022-1070 (CVSS 9.8): Failures to verify end users, permitting attackers to access the TUG Home Base Server and take control of connected robots
  • CVE-2022-27494 (CVSS 7.6): User-controlled input is not neutralized, allowing XSS attackers to trigger on report pages
  • CVE-2022-1059 (CVSS 7.6): User-controlled input is not neutralized before being shown in a web portal, and so Fleet page users may be subject to reflected XSS attacks

The critical flaws were found during an audit on behalf of a client healthcare provider. While Cynerio’s customer had not connected their robots to the internet — and, therefore, they were safe from active exploit — the cybersecurity firm said “several” hospitals had internet-connected robots that could be remotely controlled in the Cynerio Live research lab.

The vendor was notified of the vulnerabilities through the US Cybersecurity and Infrastructure Security Agency (CISA).

Cynerio worked with Aethon to develop suitable patches, and the latest version of TUG firmware contains fixes. In addition, Aethon developed firewall updates at customer hospitals to restrict public access. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


READ MORE HERE