Five security flaws in Aethon Tug hospital robots have been fixed, allowing remote attackers to take control and disrupt medication and lab sample distribution.
Using these vulnerabilities could cause a denial of service, give full control of robot functions, or expose sensitive data, according to a recent CISA advisory.
Aethon TUG smart autonomous mobile robots are used in hospitals worldwide to deliver medication, transport clinical supplies, clean floors and collect meal trays.
According to Cynerio, the flaws in the TUG Homebase Server component allow attackers to halt medication deliveries, spy on patients and staff, and access confidential data.
Worse, an adversary could use the flaws to hijack legitimate administrative user sessions and inject malware into health care facilities.
the healthcare IoT security firm warned that exploiting the flaws could allow attackers to "laterally move through hospital networks, perform reconnaissance and eventually carry out ransomware attacks, breaches, and other threats."
The following deficiencies were discovered late last year during an audit for a healthcare provider client:
Unauthenticated attackers can connect to the TUG Home Base Server websocket and control TUG robots.
CVE-2022-1066 (CVSS 8.2) - An unauthenticated attacker can add new admin users, delete or modify existing admin users.
Unauthenticated attackers can access hashed user credentials.
CVE-2022-27494 (CVSS 7.6) - When new reports are created or edited, the Fleet Management Console is vulnerable to stored cross-site scripting attacks.
(CVSS 7.6) - The Fleet Management Console's "Load" tab is vulnerable to reflected cross-site scripting attacks.
"These zero-day vulnerabilities required very little skill to exploit, no special privileges, and no user interaction," said Cynerio's Asher Brass.
They could have taken over system control, accessed real-time camera feeds and device data, and destroyed hospitals using the robots if they had exploited JekyllBot:5.
Post a Comment
Your suggestions and comments are welcome