Security News > 2022 > April > Critical bug allows attacker to remotely control medical robot
Mobile robot maker Aethon has fixed a series of vulnerabilities in its Tug hospital robots that, if exploited, could allow a cybercriminal to remotely control thousands of medical machines.
Cynerio did find "Several" hospitals in the US and globally that were using the internet-connected robots, and in each of these cases the researchers could exploit the vulns to remotely control the robots from the Cynerio Live research lab.
"Cynerio has worked closely with Aethon, the manufacturer of these robots, to ensure that the latest version of the robot firmware contained patches and fixes for each vulnerability the Cynerio Live research team found before any public reporting," the researchers wrote.
"The /api/tug/v3/ and /api/tug/v2/ methods were freely accessible over HTTP on ports 8081 and 80, and could be used by an unauthenticated attacker to obtain real-time photos from TUG robots, obtain current robot coordinates, and other potentially sensitive information," the researchers warned.
Once they have complete control over the Tug robots, the attackers' illicit activities could range from annoying - such as harassing and running into people and objects - to potentially deadly if they exploited the vuln to prevent patients from receiving critical medications.
The user interface has a joystick module that allows users to control the robots.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/04/12/critical_vuln_hospital_robots/