Report: Zero-Day Flaws Pose Attack Risks to Hospital Robots5 Critical Vulnerabilities Could Allow Hackers to Tamper with Certain Gear
Five critical zero-day vulnerabilities discovered in certain autonomous, mobile hospital robots - if exploited - could allow hackers to disrupt the delivery of medications and other supplies, interfere with elevator operation and take videos of patients and their records, a new security research report says.
Some experts say the situation serves as a reminder of often-overlooked security risks posed by nonmedical connected devices commonly used in healthcare environments.
"Until just recently, little or no attention was paid to nonmedical IoT devices, because no risk assessment was made either by the manufacturers or the consuming healthcare providers," says technology attorney Steven Teppler of the law firm Sterlington PLLC. "The healthcare industry is finally starting to understand that security is an essential component of functionality."
The recently identified robot vulnerabilities - collectively dubbed "JekyllBot:5" - were found in TUG smart robots from ST Engineering Aethon Inc., according to a research report released Tuesday by IoT security vendor Cynerio.
The U.S. Cybersecurity and Infrastructure Security Agency on Tuesday also issued an advisory about the Aethon TUG Home Base Server vulnerabilities.
The TUG vulnerabilities, which include CVEs that have CVSS scores ranging from score of 7.6, or high, to 9.8, or critical, include two missing authorization flaws that are channel accessible by non-endpoint and cross-site scripting issues, CISA says.
"Successful exploitation of these vulnerabilities could cause a denial-of-service condition, allow full control of robot functions, or expose sensitive information," CISA warns.
The JekyllBot:5 vulnerabilities have been mitigated with patches by Aethon following Cynerio's disclosure to CISA through the agency's Coordinated Vulnerability Disclosure process, the Cynerio report says.
In its report, Cynerio details the most severe attack scenarios at risk by potentially exploiting the JekyllBot: 5 vulnerabilities. They include:
- Disrupting or impeding the timely delivery of patient medications and lab samples;
- Interfering, shutting down or obstructing hospital elevators and door-locking systems;
- Monitoring or taking videos and pictures of patients, staff, hospital interiors and patient medical records;
- Controlling all physical capabilities and locations of the robots to allow access to restricted areas, interaction with patients or crashing into staff, visitors and equipment;
- Hijacking legitimate administrative user sessions in the robots' online portal and injecting malware through their browser to launch further cyberattacks on IT at healthcare facilities.
"Bottom line: The worst-case scenario is a total disruption of critical care and violation of patient privacy, and JekyllBot:5 would give attackers the means to compromise security in ways they would not otherwise be able to, especially in terms of physical security," Cynerio spokesman Daniel Brody says in a statement to Information Security Media Group.
Aethon did not immediately respond to ISMG's request for comment on the vulnerability findings. Its parent company, ST Engineering, is based in Singapore and its U.S. headquarters is in Pittsburgh.
Cynerio says it discovered the vulnerabilities while it was carrying out a deployment for a customer hospital. "Aethon TUG robots communicate over Wi-Fi, which must be converted to Ethernet when the fleet management system is accessed," Cynerio says.
In late 2021, a Cynerio researcher detected anomalous network traffic that seemed to be related to the hospital's elevator and door sensors, the report says.
"That in turn led to an investigation that revealed a connection from the elevator to a server with an open HTTP port, which then gave the researcher access to a company web portal with information about the Aethon TUG robots' current status, hospital layout maps, and pictures and video of what the robots were seeing," the report says.
"Most organizations have a hard enough time maintaining visibility and security on traditional IT assets. Nontraditional assets, such as IoT devices, can be harder to manage and secure."
—Benjamin Denkers, CynergisTek
Subsequent research revealed that control of the robots was also possible through unauthorized access, Cynerio says, adding that the affected Aethon TUG robots are used in "hundreds" of hospitals worldwide.
"Recent Cynerio research based on a survey of healthcare IoT devices monitored by our technology shows that 53% of all devices have at least one critical risk that would affect patient safety, data or care if an attacker were able to exploit it," Brody says.
"For devices like IV pumps, which are the most common healthcare IoT device in hospitals, the percentage of vulnerable devices creeps up to 73%."
In its alert, CISA says Aethon has implemented a mitigation plan with patches to address these vulnerabilities. "Aethon has checked all locations where this product is in use to ensure firewalls are active and to update systems to the newest software, Version 24," the agency says.
It recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities, including:
- Minimizing network exposure for all control system devices and systems, and ensuring they are not accessible from the internet;
- Locating control system networks and remote devices behind firewalls and isolating them from the business network;
- When remote access is required, using secure methods, such as Virtual Private Networks, while recognizing that VPNs also may have vulnerabilities and should be updated to the most current version available;
- Performing proper impact analysis and risk assessment prior to deploying defensive measures.
The findings by Cynerio are a reminder of the security challenges posed by other nonmedical device IoT gear found throughout hospitals and other healthcare settings, some experts say.
"Most organizations have a hard enough time maintaining visibility and security on traditional IT assets. Nontraditional assets, such as IoT devices, can be harder to manage and secure," says Benjamin Denkers, chief innovation officer at privacy and security consultancy CynergisTek.
For healthcare entities, threat and asset management of IoT devices shouldn’t be an afterthought, he says. "Building this into an organization’s security program helps ensure they can be proactive in terms of identifying potential risks," he says.
"If access to a hospital’s network is permitted without performing a risk assessment associated with [a] device, such vulnerabilities could interrupt vital hospital functions."
—Steven Teppler, Sterlington PLLC
"For venders and manufactures, security should be fundamentally built in from the beginning. Having a mature software development life cycle process will go a long way in helping ensure they are building or implementing secure solutions."
Teppler says that besides robots, other examples of IoT gear found in healthcare environments and likely to be overlooked in security risk assessments include connected dishwashing and laundry equipment, sterilizers, vending machines, coffee makers, nonmedical staff smart watches and public announcement monitors.
"If access to a hospital's network is permitted without performing a risk assessment associated with [a] device, such vulnerabilities could interrupt vital hospital functions - operatory functions, connected monitoring or dosage devices, HVACs, elevators, plumbing, not to mention protected health information and records that can be subject to breaches, integrity compromise - such as alteration or erasure - and availability. Think ransomware, or outright records deletion," he says.
Before deploying or permitting the deployment of a connected device, a healthcare provider should obtain verifiable assurance - through an independent audit - that the device software, including any open-source components, does not have latent vulnerabilities, according to Teppler.
The device should also be assessed to determine that its deployment in that particular environment poses no, or acceptably low, risk, he adds.