There were five zero-day vulnerabilities found in Aethon TUG autonomous mobile robots, which hospitals around the world use for transporting products, medicines, and other medical items. Hospital robots are alluring targets for hackers. When access to the robots is acquired, a number of malicious actions can be done.
Attackers may bring about a denial-of-service condition to disturb hospital operations for extortion, and given that sensitive patient data is fed into the devices, exploitation of the vulnerabilities could provide hackers with access to patient information. The robots are offered privileged access to limited areas inside healthcare facilities, which would not usually be accessible to unauthorized people. The robots may open doors and acquire access to elevators, and can be employed to prevent access, turn off elevators, or bump into personnel and patients. Because the robots have integrated cameras, they may be hijacked and utilized for surveillance. The robots can also possibly be hijacked and employed to deliver malware or can serve as a launchpad for bigger cyberattacks on hospital systems.
Asher Brass and Daniel Brodie of Cynerio, a healthcare IoT security firm, identified the vulnerabilities, which are all called JekyllBot:5. According to the researchers, attackers with a low level of skill can exploit the vulnerabilities remotely every time the system is connected to the Internet. There are no special privileges required to take advantage of the vulnerabilities.
One of the vulnerabilities is rated critical with a CVSS severity score of 9.8 out of 10 and the remaining four are all high-severity issues having CVSS scores from 7.6 to 8.2. An unauthenticated attacker can exploit the vulnerability CVE-2022-1070 to access the TUG Home Base Server WebSocket, which would permit the hacker to trigger a denial-of-service issue, obtain access to sensitive information, and take complete control of TUG robots.
These two vulnerabilities – and CVE-2022-26423 – are because of lacking authentication and got CVSS scores of 8.2. The vulnerability CVE-2022-1066 could be used by an unauthenticated attacker and permits new users to be registered with administrative privileges and enables present users to be changed or deleted. The second vulnerability enables an unauthenticated hacker to freely obtain access to hashed user credentials.
The last two vulnerabilities – CVE-2022-1070 and CVE-2022-1059 – make the Fleet Management Console prone to cross-site scripting attacks. Both vulnerabilities got a CVSS score of 7.6.
The most severe scenario is a complete disruption of critical care and violation of patient privacy. JekyllBot:5 could enable attackers to threaten security in ways they wouldn’t otherwise be able to, especially when it comes to physical security.
The researchers informed Aethon and CISA regarding the vulnerabilities. Aethon has fixed the vulnerabilities through a new firmware release – version 24. All versions of the software prior to version 24 are in danger of the JekyllBot:5 vulnerabilities exploitation.
Additional steps can also be taken to lessen the threat of vulnerabilities exploitation. CISA advises not exposing the control system devices and systems to the web, putting all control systems behind firewalls, and isolating systems like TUG Home Base Server from company networks. When remote access is needed, Virtual Private Networks must be required for access and VPNs must be updated and constantly using the most recent software version.
Hospitals need solutions that go over mere healthcare IoT device inventory inspections to proactively offset risks and apply speedy remediation for any detected attacks or malicious activity,” stated Leon Lerman, founder and CEO of Cynerio.