Researchers have warned of critical “JekyllBot:5” security vulnerabilities in hospital robots. This bunch of five different security flaws allowed a remote attacker to take control of target devices.
JekyllBot:5 Vulnerabilities Exposed Robots To Remote Attackers
According to a recent report from Cynerio, multiple security bugs were discovered in the Aethon TUG smart autonomous mobile robots. Dubbed “JekyllBot:5”, these five vulnerabilities could allow remote attacks on the target hospital robots affecting hospital and patient security.
The Aethon TUG smart autonomous mobile robots assist hospitals in patient-care practices, such as delivering medicines and hospital supplies and managing minor labor activities.
In brief, the following are the five vulnerabilities that the researchers discovered in the robots.
- CVE-2022-1070 (Critical; CVSS 9.8): an improper end-user verification vulnerability could allow an unauthenticated attacker to connect to the TUG Home Base Server websocket.
- CVE-2022-1066 (CVSS 8.2): Due to the lack of authorization check, an unauthenticated attacker could add new users with admin access or delete existing users.
- CVE-2022-26423 (CVSS 8.2): The lack of authorization check in the software allowed an unauthenticated adversary to access hashed user credentials.
- CVE-2022-27494 (CVSS 7.6): improper neutralization of user-controllable input triggered a stored XSS vulnerability on the “Reports” tab of the Fleet Management Console.
- CVE-2022-1059 (CVSS 7.6): a reflected XSS vulnerability in the Fleet Management Console load tab due to incorrect neutralization of user-controllable input.
Patches Deployed With Latest Firmware
The researchers explained that exploiting the bugs was trivial and required no specific skill set. Successful exploitation could allow the attackers to control the target device, block legit users, and access real-time data and camera feeds.
Upon discovering the bugs, the researchers reported the matter to the concerned hospital and vendor. In response, Aethon patched the vulnerabilities in collaboration with Cynerio and released fixes with the latest TUG firmware. The vendors also deployed firewalls at the hospitals with vulnerable robots to stop public access via hospital IPs.