Cynerio Discovers and Discloses JekyllBot:5, a Series of Critical Zero-Day Vulnerabilities Allowing Attackers to Remotely Control Hospital Robots

Vulnerabilities found in Aethon Tug hospital robots could allow attackers to circumvent security and remotely surveil and interact with patients, tamper with medication distribution, and disrupt day-to-day hospital operations.
Zachary Weiner
Apr 12, 2022
Press Releases

New York, NY — April 12, 2022 Cynerio, the leading provider of healthcare IoT security solutions, announced today the discovery, exploitation, and disclosure of five zero-day vulnerabilities collectively known as JekyllBot:5, that affect commonly used robots found in hundreds of  hospitals worldwide.

Aethon TUG smart autonomous robots are designed to handle healthcare-related tasks such as distributing medication, cleaning, and transporting hospital supplies. The robots leverage radio waves, sensors, cameras and other technology to open doors, take elevators and travel throughout hospitals unassisted without bumping into people and objects. However, the technology that enables the robots to independently move around the hospital are what make their vulnerabilities so dangerous in the hands of a potential attacker.

The JekyllBot:5 vulnerabilities were discovered by the Cynerio Live research team and reside in the TUG Homebase Server’s JavaScript and API implementation, as well as a WebSocket that relied on absolute trust between the server and the robots to relay commands to them. Some of the more severe attack scenarios at risk by potentially exploiting these vulnerabilities, which ranked as high as a 9.8 CVE score, include:

  • Disrupting or impeding the timely delivery of patient medications and lab samples essential for optimal patient care
  • Interfering with critical or time-sensitive patient care and operations by shutting down or obstructing hospital elevators and door locking systems
  • Monitoring or taking videos and pictures of vulnerable patients, staff, and hospital interiors, as well as sensitive patient medical records.
  • Controlling all physical capabilities and locations of the robots to allow access to restricted areas, interaction with patients or crashing into staff, visitors and equipment.
  • Hijacking legitimate administrative user sessions in the robots’ online portal and injecting malware through their browser to perpetrate further cyberattacks on IT and security team members at healthcare facilities.

“These zero-day vulnerabilities required a very low skill set for exploitation, no special privileges, and no user interaction to be successfully leveraged in an attack, “ said Asher Brass, lead researcher on the JekyllBot:5 vulnerabilities and Head of Cyber Network Analysis at Cynerio. “If attackers were able to exploit JekyllBot:5, they could have completely taken over system control, gained access to real-time camera feeds and device data, and wreaked havoc and destruction at hospitals using the robots.”

The JekyllBot:5 vulnerabilities have been mitigated by the device manufacturer following Cynerio's disclosure of the risks through the CISA Coordinated Vulnerability Disclosure process. Several patches have been applied to the robot fleets at each Aethon customer hospital, including one major patch that required replacing firmware and an operating system update for robots at some hospitals. In addition, Aethon was able to update the firewalls at particular hospitals known to have vulnerable robots so that public access to the robots through the hospitals’ IP addresses was prevented as the fixes were rolled out.

“Hospitals need solutions that go beyond mere healthcare IoT device inventory checks to proactively mitigate risks and apply immediate remediation for any detected attacks or malicious activity,” said Leon Lerman, founder and CEO of Cynerio. “Any less is a disservice to patients and the devices they depend on for optimal healthcare outcomes.”

For more information about the JekyllBot:5 vulnerabilities, their technical details and further risk mitigation please visit Cynerio's JekyllBot:5 Command Center.

About Cynerio

Cynerio is the one-stop-shop Healthcare IoT security platform. With solutions that cater to healthcare’s every IoT need – from Enterprise IoT to OT and IoMT – we promote cross- organizational alignment and provide hospitals the control, foresight, and adaptability they require to stay cyber-secure in a constantly evolving threatscape. We empower healthcare organizations to stay compliant and proactively manage every connection on their own terms with real-time IoT attack detection & response and rapid risk reduction tools, so that they can focus on a hospital's top priority: delivering quality patient care. For more information visit, or follow Cynerio on Facebook, Twitter, and Linkedin.

Keep your finger on the pulse of Healthcare IoT security

Get Your Free Pass to HIMSS21

August 9 -13, Las Vegas

HOW? Easy! If you are a Healthcare IT Executive and you book a 30-minute call with us before July 30th, you get a free pass (valued at $1295)

Book a Call

*Please note that there is limited pass availability