Critical vulnerabilities allow hacking medical surgical robots and putting lives at risk

Engineering firm Aethon announced the correction of various vulnerabilities in its Tug hospital robots whose exploitation would allow threat actors to take remote control of compromised devices. These flaws, identified as JekyllBot:5, can be exploited without administrator interaction and the successful attack could even disrupt the proper functioning of critical medical devices.

Aethon has been manufacturing Tug robots since 2004, and there are currently thousands of them in hospitals in North America, Europe and Asia. This includes more than 37 hospitals in the U.S., the University of California-San Francisco Medical Center and Stanford Hospital.

The problems were identified by security firm Cynerio, and received scores between 7.7 and 9.8 according to the Common Vulnerability Scoring System (CVSS).

During their tests, the researchers discovered how easy it would have been to exploit these flaws in hospitals around the world: “The exploitation of JekyllBot:5 would have allowed hackers to gain access to real-time surveillance systems, medical device data, and access systems, with the potential to wreak severe havoc on medical facilities”,  notes the report.

The most severe of the flaws, tracked as CVE-2022-1070, exists because the affected machines do not verify the identity of users at both ends of the communication channel. This bug would allow unauthenticated hackers to connect to the Tug base server websock and control compromised devices remotely.

CVE-2022-1066 and CVE-2022-26423 are also evasion flaws that exist because the software does not perform proper verification, allowing malicious hackers to add new users with administrator permissions, in addition to restricting access to legitimate users and accessing encrypted credentials.

Finally, CVE-2022-27494 and CVE-2022-1059 were described as cross-site scripting (XSS) flaws in the fleet management console. These flaws exist because the software does not neutralize user-controllable input before placing it in the output, through the management console, allowing malicious hackers to hijack user sessions with high privileges or inject malicious code into the user’s browser through the console.

The manufacturer was immediately notified and updates were released soon after, so the security risk should have already been mitigated. So far there is no evidence of active exploitation.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.