Servers that control robots working in hospitals had major flaws in security coding.
The robots perform menial tasks like delivering medicine and transporting equipment in hospitals, but could be exploited to do harm.
Aethon TUG intelligent autonomous robots are a cost-effective way for hospitals and other businesses to delegate simple tasks to busy human employees.
They can lift hundreds of pounds, clean floors, and perform other adjacent maintenance tasks.
To navigate, the TUG robot uses radio waves to access a given hospital’s network of motion-sensing doors and elevators.
Because of their ability to bypass security clearances and gain access to medications or rooms not accessible to a regular visitor, the thousands of TUG robots in US hospitals are a prime target for hackers.
A major security vulnerability was first reported by Cynerio, a cybersecurity company that works specifically in the healthcare industry.
Cynerio dubbed the collection of five different security flaws JekyllBot:5.
JekyllBot:5 is what IT people call a “zero-day vulnerability” – a term for a flaw that has no existing patch.
The Independent quoted Cynerio’s head of cyber network analysis as saying: “These zero-day vulnerabilities required a very low skill set to exploit, no special privileges and no user interaction to exploit. successfully in an attack”.
The TUG bots most at risk were those actively connected to the internet.
Cynerio released a report on JekyllBot:5’s capabilities dividing the risks into two categories: the risk of unauthorized bot control and the risk of installing malware.
The company wrote that the bots could have been used to give hackers “an access point to move laterally through hospital networks, perform reconnaissance, and potentially conduct ransomware attacks, breaches, and other threats.” .
The bots have been taken offline to prevent hackers from accessing them and working on applying patches.
Hospitals using TUG robots are advised to ensure that their robots are patched with the latest firmware and software available.
Peter Seiff, CEO of ST Engineering Aethon, declined to answer questions posed by TechCrunch regarding the progress of the security patch installation.
This story originally appeared on The Sun and has been reproduced here with permission.