Mobile robotic maker Aethon has fastened a sequence of vulnerabilities in its Tug hospital robots that, if exploited, may enable a cybercriminal to remotely management hundreds of medical machines.
Exploiting these 5 bugs, collectively referred to as JekyllBot:5, required no particular privileges or consumer interplay. And as soon as used, they may enable miscreants to carry out all kinds of evil deeds together with accessing consumer credentials and medical information, locking down elevators and doorways, surveilling amenities, disrupting affected person care and meds, and launching additional cyberattacks.
IoT healthcare safety agency Cynerio found the vulnerabilities, whose CVSS scores vary from 7.7 to 9.8, whereas deploying the Tug robots for a buyer hospital.
Thankfully, none of those vulnerabilities had been exploited within the wild. The risk analysis workforce notified the affected hospital, which had not but linked its Tug robots to the web.
Cynerio did, nevertheless, discover “several” hospitals within the US and globally that had been utilizing the internet-connected robots, and in every of those instances the researchers may exploit the vulns to remotely management the robots from the Cynerio Live analysis lab.
“If attackers were able to exploit JekyllBot:5, they could have completely taken over system control, gained access to real-time camera feeds and device data, and wreaked havoc and destruction at hospitals using the robots,” mentioned Asher Brass, lead researcher on the JekyllBot:5 vulnerabilities and head of cyber community evaluation at Cynerio.
The researchers additionally notified these different hospitals — they will not say precisely what number of had been utilizing the internet-connected robots — in addition to the producer Aethon via CISA’s Coordinated Vulnerability Disclosure (CVD) course of. All 5 bugs have been fastened for all Tug base server variations earlier than model 24.
“Cynerio has worked closely with Aethon, the manufacturer of these robots, to ensure that the latest version of the robot firmware contained patches and fixes for each vulnerability the Cynerio Live research team found before any public reporting,” the researchers wrote.
Tug robots have been available on the market since 2004 and hundreds of them now function in tons of of hospitals throughout North America, Europe, and Asia, in response to Cynerio.
This embody greater than 37 VA hospitals throughout the US, University of California-San Francisco Medical Center, and Stanford Hospital.
They might be programmed to carry out many well being care-related jobs together with transporting medicines and lab specimens, cleansing flooring, delivering meals and mattress linens and different duties that contain shifting supplies and medical provides. In different phrases: they’re very helpful health-care assistants — except cybercriminals take over and the robots go rogue.
The robots use communication protocols together with radio waves that enable them to open doorways, and network-interface panels to allow them to journey elevators with out human assist. They additionally use cameras, lasers, and sensors to assist them detect obstacles and keep away from working into individuals.
Robots gone wild
While engaged on the Tug deployment, Cynerio researchers detected anomalous community visitors that they thought was associated to the robots’ elevator and door sensors. They discovered a connection from the elevator to a server with an open HTTP port, which gave the safety store entry to an organization net portal that displayed the Tug robots’ standing, hospital maps, and pictures and movies of what the robots had been seeing in actual time.
As the Cynerio researchers famous, all 5 vulnerabilities may very well be exploited over the community and the web, and “required a very low skill set for exploitation.” The bugs additionally highlighted a “major security issue” within the robots’ OS, in response to the safety store:
Here’s a rundown on all 5.
The most important of the bunch, CVE-2022-1070 obtained a 9.8 CVSS rating. This vulnerability happens as a result of the product would not confirm the identification of the customers at each ends of the communication channel, or make sure the channel’s integrity. This may enable unauthenticated attackers to connect with the Tug house base server websock and remotely management the robots.
“The /api/tug/v3/ and /api/tug/v2/ methods were freely accessible over HTTP on ports 8081 and 80, and could be used by an unauthenticated attacker to obtain real-time photos from TUG robots, obtain current robot coordinates, and other potentially sensitive information,” the researchers warned.
Once they’ve full management over the Tug robots, the attackers’ illicit actions may vary from annoying — comparable to harassing and working into individuals and objects — to probably lethal in the event that they exploited the vuln to forestall sufferers from receiving essential medicines.
Two different authorization vulnerabilities, CVE-2022-1066 and CVE-2022-26423, obtained an 8.2 severity rating. Because the software program would not carry out an authorization examine, an unauthenticated attacker may add new customers with administrative privileges, delete or modify current customers, and entry hashed consumer credentials.
Additionally, the consumer interface has a joystick module that permits customers to manage the robots. In this assault state of affairs, Cynerio researchers observe that they may transfer the robots and ship them instructions, together with denial-of-service assaults on elevators and doorways, thus probably locking individuals out of rooms and shutting down elevators. They may additionally see the robotic’s digital camera in actual time.
The closing two bugs, CVE-2022-27494 and CVE-2022-1059, are each cross-site scripting (XSS) vulnerabilities within the fleet administration console. Both scored 7.6. They happen as a result of the software program would not neutralize user-controllable enter earlier than inserting it in output, through the console, and will enable an attacker to hijack a consumer session with greater privileges, or inject malicious code into the browser of the consumer accessing the console. ®