- #Hospital robot atempts to escape hospital manual#
- #Hospital robot atempts to escape hospital Patch#
- #Hospital robot atempts to escape hospital software#
Cynerio also recommends ensuring no external internet activity is enabled on the device, while segmenting their network to restrict access if an exploit occurs.“We've named ours after fruit,” he says, forcefully, over the fans.
#Hospital robot atempts to escape hospital Patch#
The research found the robots mostly likely don’t allow security agents to be installed, so the only mitigation would be to apply the updates or completely reconfigure the devices’ operating system.Īs such, all hospitals using the impacted robots are being urged to apply the latest patch with the updated firmware to prevent an exploit. Overall, it’s important to note that these flaws could be exploited over the network and internet, requiring a low skillset, no privileges, and no interaction. As previously discussed, vulnerability disclosures are crucial to understanding existing security gaps in the healthcare setting, but the most likely and relevant attack methods are those an attacker could perform at scale.įor the JekyllBot:5, the most pressing risk is that it could enable a threat actor to exploit the flaw to access medical records, disrupt tasks, and “hijack legitimate administrative user sessions in the robots’ online portal and inject malware through their browser to perpetuate further cyberattacks.” The report details the range of activities the researchers were able to perform upon exploiting the flaws. The concern is that these robots “are able to access otherwise restricted areas of the hospital,” given its collection of sensors and cameras able to move without human interaction.Ĭynerio has worked closely with Aethon to ensure the latest firmware included patches and fixes for these flaws, long before releasing the report detailing the potential impacts. “This meant that all security measures in place for these devices could be bypassed… and every action Cynerio researchers subsequently tested were not validated or checked by the system.” “The security components underpinning Aethon Tug devices were located in the JavaScript running in the browser of the user connected to their portal,” according to the report.
These elements rely on absolute trust to perform commands, spotlighting the major security issue at the core of the robots’ operating system. JekyllBot is found within the TUG Homebase Server’s JavaScript and API implementation and a websocket. These flaws leave the Fleet Management console’s ‘reports’ and ‘load’ tabs vulnerable to cross-site scripting attacks when creating or editing new reports.
#Hospital robot atempts to escape hospital software#
The final two flaws, CVE-2022-27494 and CVE-2022-1059, are ranked 7.6 in severity and caused by the software failing to or incorrectly neutralizing “user-controllable input before it’s placed in output,” used as a web page for other users. The CVE-2022-1066 and CVE-2022-26423 vulnerabilities are both ranked 8.2 in severity and caused by the device failing to perform an authorization check when an actor attempts to access a resource or perform an action.Ī successful exploit of either flaw would enable an unauthenticated actor to arbitrarily add new users with admin privileges, delete or modify existing users, and/or freely access hashed user credentials. The “product does not adequately verify the identity of actors at both ends of a communication channel, nor does it adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.”Īs a result, a successful exploit would allow an unauthenticated attacker to connect to the TUG Home Base Server web socket and take control of the device. The most critical flaw, CVE-2022-1070, is ranked 9.8 in severity.
The discovery uncovered a connection from the elevator to a server with an open HTTP port, which gave the researcher access to a company web portal that contained information on both the hospital and the robot itself, including images and videos of the hospital. The flaws were discovered during a deployment on a customer hospital, when a researcher detected anomalous network traffic “that seemed related to the elevator and door sensors.”
#Hospital robot atempts to escape hospital manual#
The Cynerio Live research team examined the Aethon TUG robots, which are used in hundreds of global hospitals to deliver medications and maintenance supplies, in addition to performing simple manual labor and other uncomplicated tasks. The findings have been dubbed JekyllBot:5 and were responsibly disclosed to Aethon. A group of five critical zero-day vulnerabilities found in Aethon TUG smart autonomous mobile robots could give a remote attacker control over the device and its console, according to new research from Cynerio.
0 kommentar(er)
