Hospital robots exposed to hackers after critical security vulnerabilities discovered

Zero-day vulnerability meant Tug robots could be hijacked by hackers

Anthony Cuthbertson
Wednesday 13 April 2022 09:03 EDT
Comments
A remote-controlled robot prototype extracts a throat swab sample, as part of a project to assist physicians in running tests on suspected Covid-19 patients n Egypt’s Nile delta city of Tanta, on 20 March, 2021
A remote-controlled robot prototype extracts a throat swab sample, as part of a project to assist physicians in running tests on suspected Covid-19 patients n Egypt’s Nile delta city of Tanta, on 20 March, 2021 (AFP via Getty Images)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Fleets of robots deployed to hospitals throughout the US were exposed to hackers after researchers discovered five critical security vulnerabilities with their software.

Researchers from the cyber security firm Cynerio found the bugs, dubbed JekyllBot:5, within Tug robots built by US-based manufacturer Aethon. The zero-day vulnerabilities, so called because there was no fix available when they were first uncovered, were reported to Aethon, who engineered and rolled out a patch to protect the bots.

The vulnerabilities would have allowed hackers to send the robots control commands, take photos, and access the system’s user database.

“These zero-day vulnerabilities required a very low skill set for exploitation, no special privileges, and no user interaction to be successfully leveraged in an attack,” said Asher Brass, head of cyber network analysis at Cynerio.

“If attackers were able to exploit JekyllBot:5. they could have completely taken over system control, gained access to real-time camera feeds and device data, and wreaked havoc and destruction at hospitals using the robots.”

Tug robots are designed to transport medication, linens and waste around hospitals and has been installed in hundreds of hospitals around the US.

Capable of carrying up to 600kg and travelling around 3kph, Cynerio warned that any hacker exploiting the bug would be able to use them to “crash into staff, visitors and equipment”.

The Independent has contacted Aethon for a comment about the security vulnerabilities.

The Tug robots are part of an emerging trend of hospitals employing robots to carry out increasingly sophisticated tasks. The researchers warned that the healthcare industry should prioritise security over all else due to the sensitivity of both the data processed and the robots’ physical surroundings.

“Hospitals need solutions that go beyond mere healthcare IoT (internet-of-things) device inventory checks to proactively mitigate risks and apply immediate remediation for any detected attacks or malicious activity,” said Cynerio founder Leon Lerman.

“Any less is a disservice to patients and the devices they depend on for optimal healthcare outcomes.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in