Security News > 2022 > April > Hospital robot system gets five critical security holes patched

Hospital robot system gets five critical security holes patched
2022-04-12 18:58

Researchers at healthcare cybersecurity company Cynerio just published a report about five cybersecurity holes they found in a hospital robot system called TUG. TUGs are pretty much robot cabinets or platforms on wheels, apparently capable of carrying up to 600kg and rolling along at just under 3km/hr.

During what we're assuming was a combined penetration test/security assessment job, the Cynerio researchers were able to sniff out traffic to and from the robots in use, track the network exchanges back to a web portal running on the hospital network, and from there to uncover five non-trivial security flaws in the backend web servers used to control the hospital's robot underlords.

The researchers also duly noted in their report that, at the hospital where they were investigating with permission, the robot control portal was not directly visible from the internet, so a would-be attacker would have already needed an internal foothold to abuse any of the bugs they found.

According to the researchers, TCP-level access to the robot control server was enough to issue unauthenticated commands to currently active robots.

In this case, the fact that the robot portal was shielded from the internet gave the hospital some breathing space to react to the researchers' report while the vendor worked on the responsibly-disclosed bugs.

Although the researchers behind the name JekyllBot seem to have indulged themselves with dramatic examples of how these bugs might be used to wreak low-speed/high-torque robotic havoc in a hospital corridor, for example by describing robots "Crashing into staff, visitors and equipment", and attackers "Wreak[ing] havoc and destruction at hospitals using the robots".


News URL

https://nakedsecurity.sophos.com/2022/04/12/five-critical-bugs-fixed-in-automatic-hospital-robot-control-system/