Worrying
How the hell were these even allowed to leave the factory?
I'll probably get flamed for this, but the average IoT device has more security than these things.
Mobile robot maker Aethon has fixed a series of vulnerabilities in its Tug hospital robots that, if exploited, could allow a cybercriminal to remotely control thousands of medical machines. Exploiting these five bugs, collectively called JekyllBot:5, required no special privileges or user interaction. And once used, they could …
But these are NOT your typical "average IoT device" - I think your comment probably illustrates how this happened, they were designed by people working to fix medical issues and help patients move around - the entire design efforts for any medical device are to make them work 100% and cause no new health issues. The designers were concentrating on making a device that worked, not a device that couldn't be hacked and was 100% secure.
This is not a criticism of the designers, it looks like they were doing a good job - but the hacking is something that's totally outside the original design efforts - you can't build a device and have the doctor say, "It broke their ankle" and then reply, "sorry about that but it can't be hacked by ransomware."
These days, building an "unhackable" device is going to need a lot more effort than just meeting the company management's initial design definition.
"the entire design efforts for any medical device are to make them work 100% and cause no new health issues"
A device with remote access vulnerabilities doesn't meet that description. It seems likely that the cause must be omitting auditing and/or testing for this in the current criteria. You'd think after Wannacry that more notice would have been taken of this. Maybe it is and is grinding its way through some regulatory process.
Good news - the server was running Ubuntu and Apache. From a cursory review of the actual security report(sorry, sometimes I can't help myself), this seems to primarily be configuration errors and design issues, rather than coding issues. For example, they left open ports on the webserver and ran javascript on the client rather than the server, as the reg article mentioned.
Aethon is a logistics company - other security horror stories come from toy and other consumer goods manufacturers who try and make their products smart.
It is better to prepare and prevent than it is to repair and repent (Ezra Taft Benson).
The extra cost of investing in proper cyber security by design would have been far less than the reputational damage caused by (in this case) at total lack of understanding or appreciation of cyber risk mitigation.
Product design is not just about aesthetics and ergonomics, it is just as much about security and reliability.