Cynerio cybersecurity researchers specializing in healthcare IoT have discovered five serious vulnerabilities that allow remote hacking of Aethon’s TUG autonomous mobile robots. The TUG robots are used by hundreds of hospitals across the globe to transport goods, materials and clinical supplies.
… these robots require a lot of sensitive data and freedom of movement to be able to carry out their jobs effectively. JekyllBots is a set of 5 critical zero-day vulnerabilities that were found by the Cynerio Live research team that enable remote control of Aethon TUG smart autonomous mobile robots and their online console. JekyllBot:5 allows attackers who exploit these vulnerabilities to:
- Take videos and pictures of vulnerable patients and hospital interiors
- See real-time footage of a hospital through the robots’ cameras
- Interfere with critical or time-sensitive patient care and operations by shutting down or obstructing hospital elevators and door locking systems
- Take control of the robots’ movement and crash them into people and objects, or use them to harass patients and staff.
- Disrupt or block robot delivery of critical patient medication, or steal it outright, with potentially damaging – or fatal patient outcomes as a result
- Disrupt the regular maintenance tasks regularly performed by the robots, including housekeeping. cleaning, and delivery errands
- Hijack legitimate administrative user sessions in the robots’ online: portal and inject malware through their browser to perpetrate further cyberattacks on IT and security team. members at healthcare facilities.