Critical bug allows attacker to remotely control medical robot

CVSS 9.8 flaws are not what you want in a hospital robot


Mobile robot maker Aethon has fixed a series of vulnerabilities in its Tug hospital robots that, if exploited, could allow a cybercriminal to remotely control thousands of medical machines.

Exploiting these five bugs, collectively called JekyllBot:5, required no special privileges or user interaction. And once used, they could allow miscreants to perform all sorts of evil deeds including accessing user credentials and medical records, locking down elevators and doors, surveilling facilities, disrupting patient care and meds, and launching further cyberattacks.

IoT healthcare security firm Cynerio discovered the vulnerabilities, whose CVSS scores range from 7.6 to 9.8, while deploying the Tug robots for a customer hospital.

Thankfully, none of these vulnerabilities were exploited in the wild. The threat research team notified the affected hospital, which had not yet connected its Tug robots to the internet. 

Cynerio did, however, find "several" hospitals in the US and globally that were using the internet-connected robots, and in each of these cases the researchers could exploit the vulns to remotely control the robots from the Cynerio Live research lab. 

"If attackers were able to exploit JekyllBot:5, they could have completely taken over system control, gained access to real-time camera feeds and device data, and wreaked havoc and destruction at hospitals using the robots," said Asher Brass, lead researcher on the JekyllBot:5 vulnerabilities and head of cyber network analysis at Cynerio.

The researchers also notified these other hospitals — they won't say exactly how many were using the internet-connected robots — as well as the manufacturer Aethon through CISA's Coordinated Vulnerability Disclosure (CVD) process. All five bugs have been fixed for all Tug base server versions before version 24.

"Cynerio has worked closely with Aethon, the manufacturer of these robots, to ensure that the latest version of the robot firmware contained patches and fixes for each vulnerability the Cynerio Live research team found before any public reporting," the researchers wrote. 

Tug robots

Tug robots have been on the market since 2004 and thousands of them now operate in hundreds of hospitals across North America, Europe, and Asia, according to Cynerio.

This include more than 37 VA hospitals across the US, University of California-San Francisco Medical Center, and Stanford Hospital.

They can be programmed to perform many health care-related jobs including transporting medications and lab specimens, cleaning floors, delivering meals and bed linens and other tasks that involve moving materials and clinical supplies. In other words: they are very useful health-care assistants — unless cybercriminals take over and the robots go rogue.

The robots use communication protocols including radio waves that allow them to open doors, and network-interface panels so they can ride elevators without human help. They also use cameras, lasers, and sensors to help them detect obstacles and avoid running into people.

Robots gone wild

While working on the Tug deployment, Cynerio researchers detected anomalous network traffic that they thought was related to the robots' elevator and door sensors. They found a connection from the elevator to a server with an open HTTP port, which gave the security shop access to a company web portal that displayed the Tug robots' status, hospital maps, and photos and videos of what the robots were seeing in real time. 

This portal also allowed an unauthorized user to control the robots, according to the security team. Additionally, they found some HTML vulnerabilities on the Tub web portal page that allowed an attacker to insert malicious javascript code on any computer that requested data about the robots.

Specifically, the vulnerabilities were in TUG Homebase Server's JavaScript and API implementation, and a websocket that relied on absolute trust between the server and the robots to relay commands to them. 

As the Cynerio researchers noted, all five vulnerabilities could be exploited over the network and the internet, and "required a very low skill set for exploitation." The bugs also highlighted a "major security issue" in the robots' OS, according to the security shop:

"The security components underpinning Aethon TUG devices were located in the JavaScript that was running in the browser of the user connected to their portal. This meant that all security measures in place for these devices could be bypassed, and that every action Cynerio researchers subsequently tested was not validated or checked by the system."

Here's a rundown on all five.

JekyllBot:5 vulnerabilities

The most critical of the bunch, CVE-2022-1070 received a 9.8 CVSS score. This vulnerability occurs because the product doesn't verify the identity of the users at both ends of the communication channel, or ensure the channel's integrity. This could allow unauthenticated attackers to connect to the Tug home base server websock and remotely control the robots. 

"The /api/tug/v3/ and /api/tug/v2/ methods were freely accessible over HTTP on ports 8081 and 80, and could be used by an unauthenticated attacker to obtain real-time photos from TUG robots, obtain current robot coordinates, and other potentially sensitive information," the researchers warned. 

Once they have complete control over the Tug robots, the attackers' illicit activities could range from annoying — such as harassing and running into people and objects — to potentially deadly if they exploited the vuln to prevent patients from receiving critical medications. 

Two other authorization vulnerabilities, CVE-2022-1066 and CVE-2022-26423, received an 8.2 severity score. Because the software doesn't perform an authorization check, an unauthenticated attacker could add new users with administrative privileges, delete or modify existing users, and access hashed user credentials. 

Additionally, the user interface has a joystick module that allows users to control the robots. In this attack scenario, Cynerio researchers note that they could move the robots and send them commands, including denial-of-service attacks on elevators and doors, thus potentially locking people out of rooms and shutting down elevators. They could also see the robot's camera in real time.

The final two bugs, CVE-2022-27494 and CVE-2022-1059, are both cross-site scripting (XSS) vulnerabilities in the fleet management console. Both scored 7.6. They occur because the software doesn't neutralize user-controllable input before placing it in output, via the console, and could allow an attacker to hijack a user session with higher privileges, or inject malicious code into the browser of the user accessing the console. ®


Other stories you might like

  • Twitter founder Dorsey beats hasty retweet from the board
    As shareholders sue the social network amid Elon Musk's takeover scramble

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading
  • Amazon investors nuke proposed ethics overhaul and say yes to $212m CEO pay
    Workplace safety, labor organizing, sustainability and, um, wage 'fairness' all struck down in vote

    Amazon CEO Andy Jassy's first shareholder meeting was a rousing success for Amazon leadership and Jassy's bank account. But for activist investors intent on making Amazon more open and transparent, it was nothing short of a disaster.

    While actual voting results haven't been released yet, Amazon general counsel David Zapolsky told Reuters that stock owners voted down fifteen shareholder resolutions addressing topics including workplace safety, labor organizing, sustainability, and pay fairness. Amazon's board recommended voting no on all of the proposals.

    Jassy and the board scored additional victories in the form of shareholder approval for board appointments, executive compensation and a 20-for-1 stock split. Jassy's executive compensation package, which is tied to Amazon stock price and mostly delivered as stock awards over a multi-year period, was $212 million in 2021. 

    Continue reading
  • Confirmed: Broadcom, VMware agree to $61b merger
    Unless anyone out there can make a better offer. Oh, Elon?

    Broadcom has confirmed it intends to acquire VMware in a deal that looks set to be worth $61 billion, if it goes ahead: the agreement provides for a “go-shop” provision under which the virtualization giant may solicit alternative offers.

    Rumors of the proposed merger emerged earlier this week, amid much speculation, but neither of the companies was prepared to comment on the deal before today, when it was disclosed that the boards of directors of both organizations have unanimously approved the agreement.

    Michael Dell and Silver Lake investors, which own just over half of the outstanding shares in VMware between both, have apparently signed support agreements to vote in favor of the transaction, so long as the VMware board continues to recommend the proposed transaction with chip designer Broadcom.

    Continue reading
  • Perl Steering Council lays out a backwards compatible future for Perl 7
    Sensibly written code only, please. Plus: what all those 'heated discussions' were about

    The much-anticipated Perl 7 continues to twinkle in the distance although the final release of 5.36.0 is "just around the corner", according to the Perl Steering Council.

    Well into its fourth decade, the fortunes of Perl have ebbed and flowed over the years. Things came to a head last year, with the departure of former "pumpking" Sawyer X, following what he described as community "hostility."

    Part of the issue stemmed from the planned version 7 release, a key element of which, according to a post by the steering council "was to significantly reduce the boilerplate needed at the top of your code, by enabling a lot of widely used modules / pragmas."

    Continue reading

Biting the hand that feeds IT © 1998–2022