As many as five security vulnerabilities have been addressed in Aethon Tug hospital robots that could enable remote attackers to seize control of the devices and interfere with the timely distribution of medication and lab samples.
“Successful exploitation of these vulnerabilities could cause a denial-of-service condition, allow full control of robot functions, or expose sensitive information,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory published this week.
AethonTM smart, autonomous mobile robots can be used in hospitals all over the globe to transport medication and clinical supplies. They also independently navigate to other tasks, such as picking up meal plates and cleaning floors.
Collectively dubbed “JekyllBot:5” by Cynerio, the flaws reside in the TUG Homebase Server component, effectively allowing attackers to impede the delivery of medications, surveil patients, staff, and hospital interiors through its integrated camera, and gain access to confidential information.
A worse scenario is that an attacker could exploit the vulnerabilities to steal legitimate user sessions from the robots’ online portal, inject malware and then launch further attacks against health care facilities.
The exploit of these flaws may have allowed “attackers an entry point to laterally travel through hospital networks and perform reconnaissance and then carry out ransomware, breaches and other threats,” said the security company for healthcare IoT.
The list of deficiencies discovered during an audit for a client of a healthcare provider is below –
- CVE-2022-1070 (CVSS score: 9. 8) – An unauthenticated attacker can connect to the TUG Home Base Server websocket to take control of TUG robots.
- CVE-2022-1066 (CVSS score: 8. 2) – An unauthenticated attacker can arbitrarily add new users with administrative privileges and delete or modify existing users.
- CVE-2022-26423 (CVSS score: 8. 2) – An unauthenticated attacker can freely access hashed user credentials.
- CVE-2022-27494 (CVSS score: 7. 6) – The “Reports” tab of the Fleet Management Console is vulnerable to stored cross-site scripting attacks when new reports are created or edited.
- CVE-2022-1059 (CVSS score: 7. 6) – The “Load” tab of the Fleet Management Console is vulnerable to reflected cross-site scripting attacks.
” These zero-day vulnerabilities needed a very limited skill set to exploit, no special privileges and no interaction with users in order to be successful leveraged in an attack,” Asher Brass from Cynerio said.
“If attackers were able to exploit JekyllBot:5, they could have completely taken over system control, gained access to real-time camera feeds and device data, and wreaked havoc and destruction at hospitals using the robots. “