How secure are hospitals’ IoT devices?

A vulnerability recently detected in hospital robots could have given anyone access to live photos, videos and medical records within a hospital system, according to an investigating cybersecurity firm.

New York-based healthcare cybersecurity firm Cynerio announced today that it had uncovered previously unidentified vulnerabilities in Aethon TUG robots — smart autonomous mobile robots used in hundreds of hospitals across the globe to assist in tasks like medication distribution, hospital cleaning and supply transport. Aethon, which is headquartered in Robinson Township outside of Pittsburgh, enables its TUG robots to interact with hospital systems through radio waves, sensors, cameras and more so that they can move freely and independently throughout the building as needed.

Aethon acknowledged the vulnerability in a brief news post on Monday, though the post was removed from the site by Tuesday morning. Technical.ly has reached out to the company for comment and will update this story if we hear back. Aethon CEO of ST Engineering Peter Seiff confirmed the TUG robots’ vulnerabilities to TechCrunch.

Among the hundreds of hospitals using TUG is local healthcare system UPMC, which was also an early adopter and testing site for TUGs. Aethon also names the Hospital of the University of Pennsylvania and Lehigh Valley Hospital as customers.

The set of vulnerabilities discovered by Cynerio in the robots is now referred to as JekyllBot:5 and includes five distinct vulnerabilities spanning unauthenticated information access, remote control of the TUG robots by unauthenticated third parties and more. Since discovery of the vulnerabilities in December of last year, Cynerio and Aethon have worked to resolve all problems with the systems.

“We are pleased that the notification process worked as intended and helped to discover, report, and rectify system vulnerabilities in a collaborative effort so that we can continue to stay a step ahead of bad actors and provide the efficiency systems like ours are made to deliver,” Aethon’s originally published statement said about the Cybersecurity and Infrastructure Security Agency’s notification system, per CyberScoop.

Asher Brass. (Courtesy photo)

Asher Brass, the lead researcher on the JeykllBot:5 team at Cynerio, told Technical.ly last week that he first identified the vulnerabilities after taking a look at the elevator systems in a hospital that had hired Cynerio for its cybersecurity consulting services, as he noticed some unexpected patterns in the motion of the elevators throughout the day.

“I would expect an elevator probably to be talking to some sort of industrial control system or something of the sort,” he said. “But it was talking to what I later found out was the TUG home base server.”

Through more digging, Brass found that the TUG server — which had connections to the elevator to allow for robots to autonomously travel between hospital floors — had an open HTTP port, meaning that anyone could access an Aethon company web portal with access to robot status, hospital layout maps and the robot’s camera feed. The robots could also be controlled by unauthorized users via this same mode of access, and hackers could inject malware into any computer looking to obtain data from the robots, according to a report from Cynerio on the vulnerabilities. (Read the JekyllBot-5 Vulnerability Report here.)

Basically, the problems found in the Aethon TUG robots and their software could allow an attacker to disrupt delivery of patient medication or lab samples, shut down or obstruct hospital elevators, doors and rooms, take videos and pictures of anyone or anything in the hospital, control all physical movements of the robots and hijack administrative user sessions accessing the robots’ portal and putting malware into the computers of those users.

The healthcare industry likely has more cybersecurity needs than can be met by its internal IT teams, according to Brass.

While Brass said his team didn’t find any evidence that hackers or other malicious parties had taken advantage of these system weaknesses, that doesn’t mean the risk wasn’t very real: “It became very clear that if someone had wanted to do this and someone had done this before us they could have done it very easily.”

Despite the gravity of this vulnerability, Brass wasn’t surprised that it had gone undetected by the hospitals using Aethon TUGs. While many hospitals have some form of an IT security team in place, they often vary in size or resources and typically deal with hacks into email systems or cloud services. But the healthcare industry has more cybersecurity needs than can really be met by those teams, Brass said.

“In order to really examine the medical devices and the IoT, you need a company that specializes in these things because they look very, very different,” said the researcher. (Yes, like Cynerio.) “Their network communication is different, their profile is different, what constitutes an attack is very different, and so it really required specialization.”