PITTSBURGH - Autonomous robots made by a Pittsburgh-based company and deployed in hospitals across the country have been vulnerable to a slew of remote attacks, according to researchers at Cynerio. The cybersecurity startup found five vulnerabilities in Aethon TUG robots that could have allowed hackers to control them, open locked doors and watch patients.
“You’re basically only limited by your imagination with what you can do with these robots once you have access,” said Cynerio’s lead researcher Asher Brass. “Anyone who brought a laptop into a hospital lobby could’ve … seen camera feeds from all of these robots.”
In some cases, the robot’s vulnerabilities could have allowed hackers to control them from anywhere in the world. Even a low-skilled hacker could have exploited the flaws, according to Brass.
Hundreds of hospitals have purchased autonomous robots over the last decade to help with laborious tasks, such as transporting medication, lab specimens and linens. UPMC uses the Aethon bots for those tasks at multiple facilities. In 2018, UPMC Presbyterian was featured on "Good Morning America" after workers dressed Aeton TUGs in Halloween costumes to pass out candy to young patients.
Brass said he first noticed issues with the Aethon TUG robot in December when an undisclosed hospital hired Cynerio to audit its cybersecurity.
The five vulnerabilities, which Cynerio refers to as JekyllBot:5, are flaws with the base servers the robots use to communicate and navigate the hospital. The most serious flaw scored 9.8 out of 10 on the open-source Common Vulnerability Scoring System.
Cynerio found evidence of several hospitals with Aethon TUG robots exposed to the internet and warned them about the vulnerability.
“If attackers were able to exploit JekyllBot:5, they could have completely taken over system control, gained access to real-time camera feeds and device data, and wreaked havoc and destruction at hospitals using the robots,” Brass said.
Cynerio did not find any evidence of an attack on an Aethon TUG robot. Still, Brass argues certain actions, such as taking pictures of charts and medical information, “could have been going on in theory for quite some time, and we would have no way of knowing it.”
The vulnerabilities were all “zero-day,” meaning they were never previously reported and had no fixes until Cynerio and Aethon created them over the last few months.
Aethon did not respond to WESA’s questions about the vulnerabilities or how the company fixed them. According to Cynerio, the issues were patched with software updates.
UPMC declined to make someone available to answer WESA’s questions about how many Aethon TUG bots it uses or whether leaders were aware of the vulnerabilities before they were made public Tuesday.
“Aethon has shared information publicly on this issue,” a UPMC spokesperson said in a statement. “At UPMC, this equipment is not accessible from the internet, and we have significant controls in place that would prevent external attacks through this means.”
Aethon’s TUG robots are one product in a tidal wave of internet-connected devices that are intended to improve healthcare efficiency. But as new devices are added to the Internet of Things, there are new risks, according to Brass. The most common risks don’t always make headlines.
“It’s tempting for cybersecurity practitioners to try and protect themselves against the most interesting and technically cutting edge vulnerabilities,” Brass said. But he noted the vast majority of cyberattacks faced by hospitals are really simple.
In a recent report about the state of healthcare IoT device security, Cynerio found that 53% of connected medical devices and other IoT devices in hospitals have a known critical vulnerability. But the most common risk was using a device’s default password, which a hacker could easily obtain from manuals posted online.
“This is the rule; this is not the exception,” Brass said. “Hospitals are susceptible to simple vulnerabilities … but they are fixable.”
Cynerio found that dividing networks into multiple smaller networks could address 90% of critical risks to connected devices. The company argues hospitals should do more to protect themselves.
“Hospitals need solutions that go beyond mere healthcare IoT device inventory checks to proactively mitigate risks and apply immediate remediation for any detected attacks or malicious activity,” said Leon Lerman, founder and CEO of Cynerio. “Any less is a disservice to patients and the devices they depend on for optimal healthcare outcomes.”