Autonomous Robots: Cybersecurity Startup Detects 5 Vulnerabilities in Aethon Devices for Medical Use

A cybersecurity startup recently detected five vulnerabilities in Aethon TUG robots that could have permitted hackers to control them, unlock doors and watch patients.

As indicated in a 90.5 WESA report, autonomous robots developed by a company based in Pittsburgh and designated in hospitals throughout the country have been susceptible to a slew of remote attacks, researchers at Cynerio said.

According to Asher Brass, lead researcher of Cynerio, "You're basically only limited by your imagination" with what can be done with the robots once accessed.

Brass added. Anyone bringing a laptop into a hospital lobby could have seen camera feeds from all those TUG robots.


5 Vulnerabilities Detected

In certain circumstances, the vulnerabilities could have enabled hackers to control them from any place in the world. A similar WIFT report said that even a low-skilled hacker could have manipulated the flaws.

Hundreds of hospitals have bought autonomous robots over the past ten years to help with laborious tasks like transporting medication, linens, and lab samples. UPMC is utilizing the Aethon bots for the said tasks at several facilities.

Describing the invention, Brass said he initially noticed problems with the Aethon TUB robot in December last year when an undisclosed hospital hired Cynerio to audit its cybersecurity.

The five vulnerabilities being referred to by Cynerio as JekyllBot:5 are faults with the base servers the robots are using to communicate and navigate the hospital.

Out of 10, the most serious fault scored 9.8 on the open-source Common Vulnerability Scoring System, described on the National Vulnerability Database website.

Hackers' Attack

Cynerio discovered evidence of a number of hospitals with Aethon TUB robots exposed to the internet and cautioned them about vulnerability.

Essentially, suppose attackers were able to manipulate JekyllBot:5. In that case, they could have fully taken over the system control, gained access to devise data and real-time camera feeds, and wreaked havoc and destruction at hospitals through robots, explained Brass.

Meanwhile, Cynerio did not detect any evidence of an attack on an Aethon TUG robot. Still, Brass contends that certain actions like taking pictures of medical information and charts could have continued in theory for some time now, and there would be "no way of knowing it."

The vulnerabilities were reported to be "all zero-day." This means that they were never reported before and had no fixes until Aethon and Cynerio created them over the past few months.

Critical Vulnerability of Devices in Hospitals

The TUG robots are a single product in a so-called "tidal wave of internet-connected devices," intended to improve efficiency in healthcare. However, as new devices are added to the Internet of Things, there are new dangers, Brass cautioned. The most common risks, he elaborated, do not always make headlines.

The expert explained that it is tempting for cybersecurity practitioners to attempt and shield themselves from the most interesting, not to mention technically cutting-edge vulnerabilities. He noted that the vast majority of cyberattacks experienced by hospitals are simple.

In a recent report on the state of healthcare IoT device security, Cynerio discovered that more than 50 percent of connected medical devices and other IoT devices in hospitals have a known critical vulnerability.

Nevertheless, the most common danger was using the device's default password, which a hacker could effortlessly obtain from manuals uploaded online.

Related information about the TUG robot is shown on Aethonrobotics' YouTube video below:

Check out more news and information on Robotics in Science Times.

Join the Discussion

Recommended Stories

Real Time Analytics