• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to secondary sidebar
  • Skip to footer

  • COVID-19
  • Opinion
  • Health IT
    • Behavioral Health
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Patient Engagement
    • Population Health Management
    • Revenue Cycle Management
    • Social Determinants of Health
  • Digital Health
    • Artificial Intelligence
    • Blockchain
    • Mobile Health
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • M&A
  • Value-based Care
    • Accountable Care (ACOs)
    • Medicare Advantage
  • Life Sciences
  • Research

Cynerio Discovers Vulnerabilities to Remotely Control Hospital Robots

by Fred Pennic 04/15/2022 Leave a Comment

Cynerio Discovers Vulnerabilities to Remotely Control Hospital Robots

What You Should Know:

– Cynerio, a provider of healthcare IoT security solutions, announced the discovery, exploitation, and disclosure of five zero-day vulnerabilities collectively known as JekyllBot:5, that affect commonly used robots found in hundreds of hospitals worldwide.

– Vulnerabilities found in Aethon Tug hospital robots could allow attackers to circumvent security and remotely surveil and interact with patients, obstruct medication distribution, and disrupt day-to-day hospital operations. 


JekyllBot:5 Vulnerabilities for Aethon TUG Autonomous Robots

Aethon TUG smart autonomous robots are designed to handle healthcare-related tasks such as distributing medication, cleaning, and transporting hospital supplies. The robots leverage radio waves, sensors, cameras and other technology to open doors, take elevators and travel throughout hospitals unassisted without bumping into people and objects. However, the technology that enables the robots to independently move around the hospital are what make their vulnerabilities so dangerous in the hands of a potential attacker.

The JekyllBot:5 vulnerabilities were discovered by the Cynerio Live research team and reside in the TUG Homebase Server’s JavaScript and API implementation, as well as a WebSocket that relied on absolute trust between the server and the robots to relay commands to them. Some of the more severe attack scenarios at risk by potentially exploiting these vulnerabilities, which ranked as high as a 9.8 CVE score, include:

– Disrupting or impeding the timely delivery of patient medications and lab samples essential for optimal patient care

– Interfering with critical or time-sensitive patient care and operations by shutting down or obstructing hospital elevators and door locking systems

– Monitoring or taking videos and pictures of vulnerable patients, staff, and hospital interiors, as well as sensitive patient medical records

– Controlling all physical capabilities and locations of the robots to allow access to restricted areas, interaction with patients or crashing into staff, visitors and equipment

– Hijacking legitimate administrative user sessions in the robots’ online portal and injecting malware through their browser to perpetrate further cyberattacks on IT and security team members at healthcare facilities.

Mitigation Details

The JekyllBot:5 vulnerabilities have been mitigated by the device manufacturer following Cynerio’s disclosure of the risks through the CISA Coordinated Vulnerability Disclosure process. Several patches have been applied to the robot fleets at each Aethon customer hospital, including one major patch that required replacing firmware and an operating system update for robots at some hospitals. In addition, Aethon was able to update the firewalls at particular hospitals known to have vulnerable robots so that public access to the robots through the hospitals’ IP addresses was prevented as the fixes were rolled out.

“These zero-day vulnerabilities required a very low skill set for exploitation, no special privileges, and no user interaction to be successfully leveraged in an attack, “ said Asher Brass, lead researcher on the JekyllBot:5 vulnerabilities and Head of Cyber Network Analysis at Cynerio. “If attackers were able to exploit JekyllBot:5, they could have completely taken over system control, gained access to real-time camera feeds and device data, and wreaked havoc and destruction at hospitals using the robots.”

Tagged With: API, Cynerio, IoT, Malware, medical records, medication, Patient Care, Portal, risk, sensors

Get in-depth healthcare technology analysis and commentary delivered straight to your email weekly

Reader Interactions

Primary Sidebar

Subscribe to HIT Consultant

Latest insightful articles delivered straight to your inbox weekly.

Submit a Tip or Pitch

Most Popular

ViVE 2023 Executive Takeaways

VIVE 2023: 6 Digital Health Executives Share Their Key Takeaways

Survey: Clinician Burnout Is A Public Health Crisis Demanding Urgent Action

17 Execs Share How Health IT Can Address Clinician Burnout, Staffing, & Capacity

Q/A: Dr. Johnson Talks Racial Disparities in Breast Cancer Care

Q/A: Dr. Johnson Talks Racial Disparities in Breast Cancer Care

Northwell Health Extends Contract with Allscripts Sunrise Platform Through 2027

Northwell to Deploy Epic Enterprise EHR Platform Across System

Sanofi Cuts Price of Lantus Insulin by 78% & Caps Out of Pocket Costs at $35 for All Patients

Sanofi Cuts Price of Lantus Insulin by 78% & Caps Out of Pocket Costs at $35 for All Patients

Pfizer Acquires Seagen for $43B to Tackle Cancer

Pfizer Acquires Seagen for $43B to Tackle Cancer

5 Key Trends Driving Purchasing Decisions in Healthcare IT

5 Key Trends Driving Purchasing Decisions in Healthcare IT

Sanofi to Acquire Diabetes Therapy Maker Provention Bio for $2.9B

Sanofi to Acquire Diabetes Therapy Maker Provention Bio for $2.9B

Dr. Arti Masturzo

Q/A: Dr. Masturzo Talks Addressing Food Insecurity with Patients

Transcarent Acquires 98point6 AI-Powered Virtual Care Platform and Care Business

Transcarent Acquires 98point6 AI-Powered Virtual Care Platform and Care Business

Secondary Sidebar

Footer

Company

  • About Us
  • Advertise with Us
  • Reprints and Permissions
  • 2023 Editorial Calendar
  • Submit An Op-Ed
  • Contact
  • Subscribe

Editorial Coverage

  • Opinion
  • Health IT
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Population Health Management
    • Revenue Cycle Management
  • Digital Health
    • Artificial Intelligence
    • Blockchain Tech
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • Value-Based Care
    • Accountable Care
    • Medicare Advantage

Connect

Subscribe to HIT Consultant Media

Latest insightful articles delivered straight to your inbox weekly

Copyright © 2023. HIT Consultant Media. All Rights Reserved. Privacy Policy |