JekyllBot5 could have allowed hackers to take over hospital robots

ICYMI: A combination of serious server vulnerabilities and configuration mishaps discovered earlier this year could have let attackers cause chaos of the low-speed variety in hospitals by hijacking their robot helpers. IT Brew talked with Asher Brass, head of cyber analysis for Israeli healthcare cybersecurity startup Cynerio, about how he discovered and resolved vulnerabilities (collectively called JekyllBot5) in server software for ST Engineering Aethon’s Tug robots with the assistance of federal cybersecurity officials.

Tug robots are bulky, autonomous cargo carts that are used in hospitals for logistical tasks like delivering medication and lab samples or cleaning, giving staff like nurses and lab technicians more time for other duties. Aethon says robots operate in 150+ hospitals, including 37 VA hospitals, usually in fleets of dozens.

In December, Brass told IT Brew, he and the Cynerio Live research team discovered serious vulnerabilities in the Aethon Tug Homebase Server’s JavaScript and API implementation, including one WebSocket bug carrying a 9.8 CVSS score. The now-resolved bugs seemed so serious and easily exploitable that Brass moved to contact Aethon via the Cybersecurity and Infrastructure Security Agency (CISA) “as soon as possible.”

While doing routine work at a client hospital, Brass noticed “interesting [network] traffic” and began to investigate, discovering their Tug fleet management server incorrectly allowed access to any user.

“Basically, the brain of this whole operation can be talking to anywhere from a dozen to over 100 Tug robots that are operating at any given time in a hospital,” Brass said. Further investigation led to more ominous findings, including that any user connected to the network could access the API for managing users and up their privileges to administrator.

With this unapproved access, Brass told IT Brew, he could theoretically do anything from seize control of the Tug robots’ cameras to pilot them using what appeared to be a “hidden” joystick feature. Brass could also modify or delete users at will, including Aethon’s superuser account used for remote access, though it wasn’t clear if that could be overridden by the company, or if it had other backdoors into the software. Worse, Brass found a Google search result that linked to insecure Tug fleet management consoles at other hospitals.

“I clicked the link and I was in,” Brass said. “...Right over the internet, I can see photos from within the hospital, I can do the same API trick.”

“Even if the HTTP port was closed, and you couldn’t actually surf to that web page, there was an open port that the console used to talk to the robots, and you could connect to that port over a web socket and just send arbitrary commands to robots,” Brass said.

An attacker could “not only move them from place to place but get them to call elevators to your floor, get them to ride elevators, get them to open doors, close doors, open the drawers that contain medication or the lab samples that they’re transporting, delete active users,” he continued.

Some of the issues could have been mitigated by other network security measures, Brass said, but in every single hospital running a Tug server that he observed, “I was able to do the API manipulation as an authenticated user and the WebSocket manipulation as an authenticated user.”

Brass said he never attempted to exploit the bugs, but instead contacted CISA. A week later, Aethon released patches, as well as firmware updates to every Tug bot. CISA released an alert about the issue in mid-April.

“I’m pleased to say that they’ve successfully mitigated the vulnerabilities that we disclosed,” Brass told IT Brew.

In a statement attributed to CEO Peter Seiff, Aethon told IT Brew the bugs were never exploited, and fixes were prioritized.

“No vulnerability was actually exploited at this site or any other,” Sieff wrote. “It is important to note that our system does not interact with any sensitive data and the vulnerability identified would not have inadvertently exposed patient, staff or financial data. Nonetheless, after being informed by CISA, Aethon took immediate action.”

Brass told IT Brew that the “huge, huge number” of smart systems in hospitals means they should prioritize dedicated cybersecurity.

“These robots, they’re technically not clinical,” Brass said. “But we were just talking about how if you disrupt them, you’re disrupting all kinds of different clinical activities, right?…If you have a thermometer controlling a lab, and you suddenly start boiling the lab, all the samples are gonna go bad.”

“So all hospitals have a lot of IoT…that they have to manage, and it’s very, very hard to do so without a dedicated solution,” Brass added.—TM