Zero-Day Vulnerabilities Allow Hackers to Take Control of Hospital Robots

A warning has been issued to hospitals that use the Atheon TUG  mobile robots about five vulnerabilities – dubbed JekyllBot:5 – that could be exploited by hackers for a range of malicious purposes.

Hospital robots are used for delivering medical supplies and drugs throughout hospitals to improve efficiency. The robots are equipped with cameras, are able to move freely throughout hospitals, and have access to hospital elevators, key-locked doors, and can move into restricted areas. If hackers gained access to the robots, they could virtually access areas of the hospital that would not otherwise be possible.

If control of the robots is gained, they could be used to block access to parts of the hospital, take elevators out of action, or used to cause accidents. Once access to the control system is gained, the robots could be disabled causing disruption to hospital operations and delaying the delivery of important equipment and medications. The robots are fed sensitive patient data, which could be stolen in an attack, and the robots could be used for surveillance through the inbuilt camera. It would also be possible to use the remote access to deliver malware to any networks to which the robots connect.

The JekyllBot:5 vulnerabilities affect all versions of the Atheon TUG Home Base Server prior to version 24 and were identified by security researchers at IoT security firm Cynerio. One of the vulnerabilities – CVE-2022-1070 – is rated critical and can be exploited remotely if the TUG Home Base Server is accessible over the Internet.  The flaw has a CVSS base score of 9.8/10 and allows an attacker to take full control of the hospital robots. The vulnerability could be exploited to trigger a denial-of-service condition, could provide an attacker with access to sensitive patient data, and would allow all of the malicious activities above to be conducted remotely.

The other four of the JekyllBot:5 vulnerabilities – CVE-2022-1066, CVE-2022-26423, CVE-2022-1070, and CVE-2022-1059 – are all rated high severity and are due to a lack of authentication and user verification and leave the system vulnerable to cross-site scripting attacks. These flaws could be exploited remotely and would allow an attacker to modify and delete existing users, create new users with admin privileges, and access hashed user credentials.

The JekyllBot:5 vulnerabilities were reported to Aethon prior to disclosure and new firmware – version 24- has now been released to correct the flaws. Hospitals should also consider other mitigations to prevent the exploitation of as-of-yet undiscovered vulnerabilities. All control systems should be located behind firewalls, control systems should not be accessible over the Internet, and if remote access is required, a Virtual Private Network (VPN) should be used. VPNs can also be vulnerable, so the latest version of the software should always be used. Hospital robot systems and IoT devices should also be isolated from other parts of the networks.