back to article Critical bug allows attacker to remotely control medical robot

Mobile robot maker Aethon has fixed a series of vulnerabilities in its Tug hospital robots that, if exploited, could allow a cybercriminal to remotely control thousands of medical machines. Exploiting these five bugs, collectively called JekyllBot:5, required no special privileges or user interaction. And once used, they could …

  1. Sp1z

    Worrying

    How the hell were these even allowed to leave the factory?

    I'll probably get flamed for this, but the average IoT device has more security than these things.

    1. Version 1.0 Silver badge
      Pirate

      Re: Worrying

      But these are NOT your typical "average IoT device" - I think your comment probably illustrates how this happened, they were designed by people working to fix medical issues and help patients move around - the entire design efforts for any medical device are to make them work 100% and cause no new health issues. The designers were concentrating on making a device that worked, not a device that couldn't be hacked and was 100% secure.

      This is not a criticism of the designers, it looks like they were doing a good job - but the hacking is something that's totally outside the original design efforts - you can't build a device and have the doctor say, "It broke their ankle" and then reply, "sorry about that but it can't be hacked by ransomware."

      These days, building an "unhackable" device is going to need a lot more effort than just meeting the company management's initial design definition.

      1. Doctor Syntax Silver badge

        Re: Worrying

        "the entire design efforts for any medical device are to make them work 100% and cause no new health issues"

        A device with remote access vulnerabilities doesn't meet that description. It seems likely that the cause must be omitting auditing and/or testing for this in the current criteria. You'd think after Wannacry that more notice would have been taken of this. Maybe it is and is grinding its way through some regulatory process.

      2. Sp1z

        Re: Worrying

        Just to be clear, I wasn't implying that they WERE an IoT device, simply making a comparison regarding security.

    2. heyrick Silver badge

      Re: Worrying

      This makes a good case for having this sort of stuff required to be open source and peer reviewed.

      For the small fortune they undoubtedly cost, software this broken is really unacceptable.

      1. RM Myers
        Thumb Up

        Re: Worrying

        Good news - the server was running Ubuntu and Apache. From a cursory review of the actual security report(sorry, sometimes I can't help myself), this seems to primarily be configuration errors and design issues, rather than coding issues. For example, they left open ports on the webserver and ran javascript on the client rather than the server, as the reg article mentioned.

  2. Flak
    Stop

    Designed by the wrong people

    Aethon is a logistics company - other security horror stories come from toy and other consumer goods manufacturers who try and make their products smart.

    It is better to prepare and prevent than it is to repair and repent (Ezra Taft Benson).

    The extra cost of investing in proper cyber security by design would have been far less than the reputational damage caused by (in this case) at total lack of understanding or appreciation of cyber risk mitigation.

    Product design is not just about aesthetics and ergonomics, it is just as much about security and reliability.

  3. Anonymous Coward
    Anonymous Coward

    "IoT healthcare security"

    Stated without sarcasm.

  4. Anonymous Coward
    Anonymous Coward

    Didn't know you could get that on the NHS

    Tug robots. ffnarr.

  5. Ian Johnston Silver badge

    Cynerio did, however, find "several" hospitals in the US and globally that were using the internet-connected robots

    Aaaaaand there's your problem, right there.

  6. Kabukiwookie
    Terminator

    It'll be fine

    Thankfully, none of these vulnerabilities were exploited in the wild.

    For as far as they know and they're not going to look too closely if it actually did happen, as the lawsuits would probably bankrupt them if anyone did find something.

  7. Evil Scot Bronze badge
    Alien

    Thankfully not Davinci.

    Hacking of those robots would be life changing.

    Took me two thirds of the article to realise we were talking about automatic trolleys.

    Icon (THAT DOESN'T GO THERE)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like