• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to secondary sidebar
  • Skip to footer

  • Opinion
  • Health IT
    • Behavioral Health
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Patient Engagement
    • Population Health Management
    • Revenue Cycle Management
    • Social Determinants of Health
  • Digital Health
    • AI
    • Blockchain
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • M&A
  • Value-based Care
    • Accountable Care (ACOs)
    • Medicare Advantage
  • Life Sciences
  • Research

Cynerio Discovers Vulnerabilities to Remotely Control Hospital Robots

by Fred Pennic 04/15/2022 Leave a Comment

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print
Cynerio Discovers Vulnerabilities to Remotely Control Hospital Robots

What You Should Know:

– Cynerio, a provider of healthcare IoT security solutions, announced the discovery, exploitation, and disclosure of five zero-day vulnerabilities collectively known as JekyllBot:5, that affect commonly used robots found in hundreds of hospitals worldwide.

– Vulnerabilities found in Aethon Tug hospital robots could allow attackers to circumvent security and remotely surveil and interact with patients, obstruct medication distribution, and disrupt day-to-day hospital operations. 


JekyllBot:5 Vulnerabilities for Aethon TUG Autonomous Robots

Aethon TUG smart autonomous robots are designed to handle healthcare-related tasks such as distributing medication, cleaning, and transporting hospital supplies. The robots leverage radio waves, sensors, cameras and other technology to open doors, take elevators and travel throughout hospitals unassisted without bumping into people and objects. However, the technology that enables the robots to independently move around the hospital are what make their vulnerabilities so dangerous in the hands of a potential attacker.

The JekyllBot:5 vulnerabilities were discovered by the Cynerio Live research team and reside in the TUG Homebase Server’s JavaScript and API implementation, as well as a WebSocket that relied on absolute trust between the server and the robots to relay commands to them. Some of the more severe attack scenarios at risk by potentially exploiting these vulnerabilities, which ranked as high as a 9.8 CVE score, include:

– Disrupting or impeding the timely delivery of patient medications and lab samples essential for optimal patient care

– Interfering with critical or time-sensitive patient care and operations by shutting down or obstructing hospital elevators and door locking systems

– Monitoring or taking videos and pictures of vulnerable patients, staff, and hospital interiors, as well as sensitive patient medical records

– Controlling all physical capabilities and locations of the robots to allow access to restricted areas, interaction with patients or crashing into staff, visitors and equipment

– Hijacking legitimate administrative user sessions in the robots’ online portal and injecting malware through their browser to perpetrate further cyberattacks on IT and security team members at healthcare facilities.

Mitigation Details

The JekyllBot:5 vulnerabilities have been mitigated by the device manufacturer following Cynerio’s disclosure of the risks through the CISA Coordinated Vulnerability Disclosure process. Several patches have been applied to the robot fleets at each Aethon customer hospital, including one major patch that required replacing firmware and an operating system update for robots at some hospitals. In addition, Aethon was able to update the firewalls at particular hospitals known to have vulnerable robots so that public access to the robots through the hospitals’ IP addresses was prevented as the fixes were rolled out.

“These zero-day vulnerabilities required a very low skill set for exploitation, no special privileges, and no user interaction to be successfully leveraged in an attack, “ said Asher Brass, lead researcher on the JekyllBot:5 vulnerabilities and Head of Cyber Network Analysis at Cynerio. “If attackers were able to exploit JekyllBot:5, they could have completely taken over system control, gained access to real-time camera feeds and device data, and wreaked havoc and destruction at hospitals using the robots.”

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print

Tagged With: API, Cynerio, IoT, Malware, medical records, medication, Patient Care, Portal, risk, sensors

Tap Native

Get in-depth healthcare technology analysis and commentary delivered straight to your email weekly

Reader Interactions

Primary Sidebar

Subscribe to HIT Consultant

Latest insightful articles delivered straight to your inbox weekly.

Submit a Tip or Pitch

Featured Insights

2025 EMR Software Pricing Guide

2025 EMR Software Pricing Guide

Featured Interview

Kinetik CEO Sufian Chowdhury on Fighting NEMT Fraud & Waste

Most-Read

Blue Cross Blue Shield of Massachusetts Launches "CloseKnit" Virtual-First Primary Care Option

Blue Cross Blue Shield of Massachusetts Launches “CloseKnit” Virtual-First Primary Care Option

Osteoboost Launches First FDA-Cleared Prescription Wearable Nationwide to Combat Low Bone Density

Osteoboost Launches First FDA-Cleared Prescription Wearable Nationwide to Combat Low Bone Density

2019 MedTech Breakthrough Award Category Winners Announced

MedTech Breakthrough Announces 2025 MedTech Breakthrough Award Winners

WeightWatchers Files for Bankruptcy to Eliminate $1.15B in Debt

WeightWatchers Files for Bankruptcy to Eliminate $1.15B in Debt

KLAS: Epic Dominates 2024 EHR Market Share Amid Focus on Vendor Partnership; Oracle Health Sees Losses Despite Tech Advances

KLAS: Epic Dominates 2024 EHR Market Share Amid Focus on Vendor Partnership; Oracle Health Sees Losses Despite Tech Advances

'Cranky Index' Reveals EHR Alert Frustration Peaks Midweek, Highest Among Admin Staff

‘Cranky Index’ Reveals EHR Alert Frustration Peaks Midweek, Highest Among Admin Staff

Madison Dearborn Partners to Acquire Significant Stake in NextGen Healthcare

Madison Dearborn Partners to Acquire Significant Stake in NextGen Healthcare

Wandercraft Begins Clinical Trials for Physical AI-Powered Personal Exoskeleton

Wandercraft Begins Clinical Trials for Physical AI-Powered Personal Exoskeleton

Chipiron Secures $17M to Transform MRI Access with Portable Scanner

Chipiron Secures $17M to Transform MRI Access with Portable Scanner

Abbott to Integrate FreeStyle Libre Glucose Data with Epic EHR

Abbott to Integrate FreeStyle Libre Glucose Data with Epic EHR

Secondary Sidebar

Footer

Company

  • About Us
  • Advertise with Us
  • Reprints and Permissions
  • Submit An Op-Ed
  • Contact
  • Subscribe

Editorial Coverage

  • Opinion
  • Health IT
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Population Health Management
    • Revenue Cycle Management
  • Digital Health
    • Artificial Intelligence
    • Blockchain Tech
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • Value-Based Care
    • Accountable Care
    • Medicare Advantage

Connect

Subscribe to HIT Consultant Media

Latest insightful articles delivered straight to your inbox weekly

Copyright © 2025. HIT Consultant Media. All Rights Reserved. Privacy Policy |