Five zero days affecting Aethon hospital autonomous robots patched

Multibillion-dollar engineering firm ST Engineering said it has patched five zero day vulnerabilities affecting its Aethon TUG autonomous mobile robots, devices that are now used widely in hospitals across the world. 

Healthcare institutions use the robots for a variety of tasks including transporting hospital supplies, distributing medication and cleaning. 

In a statement to The Record, an ST Engineering spokesperson said they were informed of the vulnerabilities on January 6 and said it stemmed “from a cybersecurity audit performed by a cyber security firm hired by our customer directly and granted access privileges to their network.”

“After being informed by CISA, Aethon took immediate action. A system patch has been prepared and rolled out to eliminate the possibility of exploitation. The original cyber security firm reporting the vulnerability tested the system patch and on April 4, 2022 informed us that the patch was effective,” the company said. 

“Our customers’ cyber security is vital, and we approached this issue with the utmost of diligence.”

They added that they have no evidence showing the vulnerabilities were exploited and claimed that the robot system “does not interact with any sensitive data and the vulnerability identified would not have inadvertently exposed patient, staff or financial data.”

Researchers with healthcare IoT cybersecurity firm Cynerio discovered the five vulnerabilities – CVE-2022-1066, CVE-2022-26423, CVE-2022-1070, CVE-2022-27494, CVE-2022-1059 – and collectively named them “JekyllBot:5.” 

According to Cynerio, part of what helps the robots move around the hospital without assistance is what makes them vulnerable. The five vulnerabilities were found in the TUG Homebase Server’s JavaScript and API implementation, as well as a WebSocket that relied on absolute trust between the server and the robots to relay commands to them.

Through the vulnerabilities, the researchers were able to take over the robots and disrupt the distribution of medication and lab samples, shut down or obstruct hospital elevators, take videos and photos of patients, staff and hospital grounds as well as patient medical records and more. 

The company was also able to hijack legitimate administrative user sessions in the robots’ online portal before “injecting malware through their browser to perpetrate further cyberattacks on IT and security team members at healthcare facilities.”

“These zero-day vulnerabilities required a very low skill set for exploitation, no special privileges, and no user interaction to be successfully leveraged in an attack,“ said Asher Brass, lead researcher on the JekyllBot:5 vulnerabilities and head of cyber network analysis at Cynerio. 

“If attackers were able to exploit JekyllBot:5, they could have completely taken over system control, gained access to real-time camera feeds and device data, and wreaked havoc and destruction at hospitals using the robots.”

Like ST Engineering, Cynerio said it addressed the bugs through the Cybersecurity and Infrastructure Security Agency’s (CISA) Coordinated Vulnerability Disclosure process.

The patches have been applied to all of the robot fleets and in some instances, Aethon helped hospitals update their firewalls to limit public access to the robots through the hospitals’ IP addresses. 

CVE-2022-1070 carries a CVSS score of 9.8 while the others range from 7.6 to 8.2. Cynerio says it first became aware of the issues while pushing through a deployment of the robots at a hospital that was a client. 

They quickly discovered that when exploited, the vulnerabilities gave attackers full access to the robots, which not only provided access to the hospital’s system but also gave threat actors the opportunity to see the hospital through the robot’s cameras.

They took their findings to CISA and worked with Aethon on the patches.