Servers that control robots working in hospitals were found to have major gaps in security coding.
The robots perform menial tasks like delivering medications and transporting materials across hospitals but could be exploited to do harm.
Aethon TUG smart autonomous robots are a cost-effective way for hospitals and other businesses to delegate simple tasks away from busy human employees.
They can lift hundreds of pounds, clean floors and execute other maintenance-adjacent tasks.
To navigate, the TUG robot uses radio waves to tap into a given hospital’s network of motion sensor doors and elevators.
Because of their ability to bypass security clearances and access medicines or rooms not afforded to a regular visitor, the thousands of TUG robots in US hospitals are a keen target for hackers.
A major security vulnerability was first flagged by Cynerio, a cybersecurity company that works specifically in the healthcare sector.
Cynerio dubbed the collection of five different security gaps JekyllBot:5.
JekyllBot:5 is what computer scientists call a “zero-day vulnerability” – a term for a flaw that has no existing patch.
The Independent quoted the head of Cynerio’s cyber network analysis saying “These zero-day vulnerabilities required a very low skill set for exploitation, no special privileges, and no user interaction to be successfully leveraged in an attack.”
The TUG robots most at risk were the ones actively connected to the internet.
Cynerio published a report on JekyllBot:5’s capabilities divided the risks into two categories: risk of unauthorized control of the robots and risk of malware installation.
The company wrote that the robots could have been used to give hackers “an access point to laterally move through hospital networks, perform reconnaissance, and eventually carry out ransomware attacks, breaches, and other threats.”
The robots were taken offline to prevent hackers from accessing them and work on applying fixes.
Hospitals using TUG robots are advised to see that their bots are patched with the latest firmware and software available.
Peter Seiff, the CEO of ST Engineering Aethon, refused to answer questions posed by TechCrunch regarding the progress of security patch installation.
This story originally appeared on The Sun and was reproduced here with permission.