JekyllBot:5 flaws allow hacking TUG autonomous mobile robots in hospitals

Researchers discovered five vulnerabilities that can be exploited to remotely hack hospital Aethon’s TUG autonomous mobile robots.

Researchers at healthcare IoT security firm Cynerio discovered a collection of five vulnerabilities impacting TUG autonomous mobile robots, collectively named JekyllBot:5, that could be exploited by remote attackers to hack the devices.

According to a US CISA advisory, the successful exploitation of these flaws could cause a denial-of-service condition, allow full control of robot functions, or expose sensitive information.

A TUG is an autonomous mobile robot designed for hospitals by Aethon. It uses a built-in map and sensors to navigate hospital halls and communicates with elevators, fire alarms and automatic doors via Wi-Fi. These autonomous robots work in the hospital 24/7 moving materials and clinical supplies

The experts discovered the issues while deploying the TUG autonomous mobile robots in a hospital, they noticed an anomalous HTTP network traffic of an elevator to a server containing information about the hospital (i.e. map of the building), the status of the robots, video and pictures collected by the TUG systems, and more.

Giving a close look at the server the experts discovered it was possible to access the devices without authorization and take over the TUG autonomous mobile robots.

The lack of authorization and identity checks allowed the researchers to create new admin users to the system, access user credentials, and even remotely control the robots.

“Late last year, a Cynerio Live researcher detected anomalous network traffic that seemed to be related to the elevator and door sensors. That in turn led to an investigation that revealed a connection from the elevator to a server with an open HTTP port, which then gave the researcher access to a company web portal with information about the Aethon TUG robots’ current status, hospital layout maps, and pictures and video of what the robots were seeing.” reads the report about the JekyllBot:5 published by the expets. “Subsequent research revealed that control of the robots was also possible through this unauthorized access.”

The researchers have illustrated some attack scenarios related to the exploitation of the JekyllBot:5 vulnerabilities. An attacker can hijack the robots to crash them into people and objects, use them to harass patients and staff, for surveillance purposes, to interfere with the delivery of critical patient medication, access patient medical records in violation of HIPAA, and more.

The experts also explained that an attacker could exploit the JekyllBot:5 flaws to hijack legitimate administrative user sessions in the robots’ online portal and inject malware through their browser to conduct further malicious activities.

Cynerio ethically disclosed the issues to Aethon and the vendor addressed it with the release of firmware updates.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, TUG autonomous mobile robots)

[adrotate banner=”5″]

[adrotate banner=”13″]