Cynerio cybersecurity researchers specializing in healthcare IoT have discovered five serious vulnerabilities that allow remote hacking of Aethon’s TUG autonomous mobile robots. The TUG robots are used by hundreds of hospitals across the globe to transport goods, materials and clinical supplies.
… these robots require a lot of sensitive data and freedom of movement to be able to carry out their jobs effectively. JekyllBots is a set of 5 critical zero-day vulnerabilities that were found by the Cynerio Live research team that enable remote control of Aethon TUG smart autonomous mobile robots and their online console. JekyllBot:5 allows attackers who exploit these vulnerabilities to:
- Take videos and pictures of vulnerable patients and hospital interiors
- See real-time footage of a hospital through the robots’ cameras
- Interfere with critical or time-sensitive patient care and operations by shutting down or obstructing hospital elevators and door locking systems
- Take control of the robots’ movement and crash them into people and objects, or use them to harass patients and staff.
- Disrupt or block robot delivery of critical patient medication, or steal it outright, with potentially damaging – or fatal patient outcomes as a result
- Disrupt the regular maintenance tasks regularly performed by the robots, including housekeeping. cleaning, and delivery errands
- Hijack legitimate administrative user sessions in the robots’ online: portal and inject malware through their browser to perpetrate further cyberattacks on IT and security team. members at healthcare facilities.
Medical IoT while incredibly valuable for patient care, can present soft targets that are appealing for bad actors. Such connected devices are often challenging to patch and keep updated. Also, often they don’t fall under the purview of the IT security team which further exacerbates the issue.
A modern healthcare data security strategy should apply some of the same principles from the military – you can’t hack what you can’t see! This is commonly known as managed attribution where critical IT resources and source – destination relationships are obfuscated making network and endpoint resources virtually impossible to detect. Next gen VPNs can add additional protection by simplifying firewall rules and eliminating the need for open inbound ports.