Cyber security start-up Cynerio, which specializes in healthcare Internet of Things (IoT) security solutions, discovered five vulnerabilities that affect commonly used robots found in hundreds of hospitals worldwide. According to the company, the group of vulnerabilities – referred to as JekyllBot:5 – can be used to disrupt the delivery of medication or supplies, impede staff, and remotely surveil patients and doctors. Following Cynerio’s discovery, the manufacturer of the robots in question, Aethon, has released several patches in order to mitigate the vulnerabilities.
JekyllBot:5 affects Aethon TUG smart autonomous robots, which are designed to handle healthcare-related tasks such as distributing medication, cleaning and transporting hospital supplies. The robots leverage radio waves, sensors, cameras and other technology to open doors, take elevators and travel throughout hospitals unassisted without bumping into people and objects. However, the technology that enables the robots to independently move around the hospital is what makes their vulnerabilities dangerous in the hands of a potential attacker.
“These zero-day vulnerabilities required a very low skill set for exploitation, no special privileges and no user interaction to be successfully leveraged in an attack,” said Asher Brass, lead researcher on the JekyllBot:5 vulnerabilities and head of cyber network analysis at Cynerio. “If attackers were able to exploit JekyllBot:5, they could have completely taken over system control, gained access to real-time camera feeds and device data, and wreaked havoc and destruction at hospitals using the robots.”
Among the potentially harmful actions made possible by the vulnerabilities are delaying the timely delivery of patient medications and lab samples, shutting down or obstructing hospital elevators and door locking systems, monitoring or taking videos and pictures of vulnerable patients and staff as well as sensitive patient medical records, and hijacking legitimate administrative user sessions in the robots’ online portal and injecting malware through their browser to perpetrate further cyberattacks on IT and security team members at healthcare facilities.
Following Aethon’s patches, their robots are no longer vulnerable to JekyllBot:5 – though the idea that such vulnerabilities might have gone undiscovered could be cause for concern, and may provoke future dialogue regarding the safety protocols surrounding autonomous hospital robots.
“Hospitals need solutions that go beyond mere healthcare IoT device inventory checks to proactively mitigate risks and apply immediate remediation for any detected attacks or malicious activity,” said Leon Lerman, founder and CEO of Cynerio. “Any less is a disservice to patients and the devices they depend on for optimal healthcare outcomes.”