Five zero-day vulnerabilities were found in Aethon TUG autonomous mobile robots, which are utilized in hospitals globally for moving merchandise, drugs, and other medical resources. Hospital robots are interesting targets for cyber attackers. In the event that access to the robots is obtained, an assortment of malicious actions may be executed.
Attackers can induce a denial-of-service condition to break up hospital operations for extortion, and because sensitive patient data is input into the devices, taking of advantage of the vulnerabilities could give attackers access to patient information. The robots are provided privileged access to confined areas in medical care facilities, which would not commonly be offered to unauthorized persons. The robots may open doors and gain access to elevators, and may be employed to prohibit access, power down elevators, or bump into employees and patients. Given that the robots have built-in cameras, they can be hijacked and utilized for monitoring. The robots may also likely be hijacked and employed to deliver malware or can work as a launchpad for sizeable cyberattacks on hospital sites.
Asher Brass and Daniel Brodie of Cynerio, a healthcare IoT security company, discovered the vulnerabilities, which are jointly referred to as JekyllBot:5. As per the researchers, hackers with a low level of expertise can exploit the vulnerabilities remotely when the system is linked to the web. There are no special privileges required to take advantage of the vulnerabilities.
One of the vulnerabilities is ranked critical having a CVSS severity rating of 9.8 out of 10 and the rest are all high-severity concerns with CVSS scores between 7.6 and 8.2. Ann unauthenticated attacker can exploit the most critical vulnerability, monitored as CVE-2022-1070, to gain access to the TUG Home Base Server WebSocket, which would enable the hacker to bring about a denial-of-service issue, acquire access to sensitive data, and seize total control of TUG robots.
These two vulnerabilities – and CVE-2022-26423 – are a result of incomplete authentication and have CVSS scores of 8.2. The vulnerability CVE-2022-1066 could be taken advantage of by an unauthenticated attacker and permits new users to be generated having admin privileges and permits current users to be altered or removed. The second vulnerability enables an unauthenticated hacker to freely gain access to hashed user information.
The other two vulnerabilities – CVE-2022-1070 and CVE-2022-1059 – make the Fleet Management Console susceptible to cross-site scripting attacks. The two vulnerabilities received a CVSS score of 7.6.
The most detrimental situation is an absolute dysfunction of critical care and breach of patient privacy. JekyllBot:5 might allow attackers to endanger security in ways they wouldn’t otherwise be possible, especially with regard to physical protection.
The researchers alerted Aethon and CISA concerning the vulnerabilities. Aethon has resolved the vulnerabilities using a new firmware release – version 24. All versions of the software before version 24 are vulnerable of the JekyllBot:5 vulnerabilities exploitation.
More steps could also be undertaken to limit the possibility of vulnerabilities exploitation. CISA proposes not exposing the control system gadgets and systems online, placing all control systems behind firewalls, and separating systems for instance TUG Home Base Server from enterprise networks. In case remote access is needed, Virtual Private Networks ought to be demanded for access and VPNs ought to be upgraded and at all times using the newest software version.
Hospitals require solutions that exceed mere healthcare IoT device inventory checkups to proactively minimize risks and implement fast remediation for any recognized attacks or malicious activity,” mentioned Leon Lerman, founder and CEO of Cynerio.