Mobile robot manufacturer Aethon has eliminated a number of vulnerabilities in its hospital robots Tug. Exploiting the problems allowed cybercriminals to remotely control thousands of medical devices.
Exploiting five vulnerabilities dubbed JekyllBot:5, did not require special privileges or user interaction. After exploitation, cybercriminals could gain access to user credentials and medical records, block elevators and doors, monitor premises, make changes in the process of patient care and medication intake.
The vulnerabilities were discovered by specialists from the company Cynerio. The problems received ratings from 7.6 to 9.8 on the CVSS scale. Fortunately, none of these vulnerabilities were used in real attacks. Experts found “several” hospitals in the United States and around the world that used Internet-connected robots. In each of these cases, the researchers could use vulnerabilities to remotely control robots from the Cynerio Live research laboratory. Cynerio informed the robot manufacturer Aethon about its findings, and the company fixed the problems in the latest version of the robot firmware.
During the analysis of the Tug robots, researchers from Cynerio discovered abnormal network traffic, which, in their opinion, was connected to the sensors of the elevator and the robot doors. They found a connection from the elevator to a server with an open HTTP port that provided access to the company’s web portal, which displayed the status of Tug robots, hospital maps, as well as photos and videos of what the robots saw in real time.
According to experts, the portal also allowed an unauthorized user to control robots. In addition, the researchers found some vulnerabilities in HTML on the page of the Tub web portal, which allowed an attacker to inject malicious javascript code on any computer that requested data about robots.
In particular, vulnerabilities were contained in the implementation of JavaScript and the TUG Homebase Server API, as well as in a web socket that relied on absolute trust between the server and robots to transmit commands to them. The most dangerous of the problems (CVE-2022-1070) received a score of 9.8 points on the CVSS scale. The vulnerability is due to the fact that the product does not verify the identity of users at both ends of the communication channel or does not ensure the integrity of the channel. This may allow unauthorized attackers to connect to the web site of the Tug home base server and remotely control robots.
“The /api/tug/v3/ and /api/tug/v2/ methods were freely available via HTTP on ports 8081 and 80 and could be used by unauthorized attackers to obtain real—time photos from TUG robots, device coordinates and other potentially confidential information,” the researchers warned.