Cyber security researchers say the vulnerabilities, discovered overseas last week, affected Aethon TUG smart autonomous robots understood to be deployed in some Australian hospitals including the Royal Melbourne Hospital and Epworth in Richmond. The US’s Cybersecurity and Infrastructure Security Agency (CISA) warned last week that the bugs could allow hackers to take full control of robot functions or expose sensitive information.

The robots handle tasks including distributing medication, cleaning and transporting hospital supplies and use sensors, cameras and radio waves to avoid bumping into people and objects.

The technology that powers the robots and allows them to move throughout the hospital is also what made the vulnerabilities so dangerous, according to Asher Brass, an executive at cyber security start-up Cynerio and lead researcher on what has been dubbed JekyllBot: 5 vulnerabilities.

Mr Brass said the bugs were with the base servers used to control the robots, which could have allowed hackers to log in and remotely control the robots from afar, allowing them to potentially spy on patients or interfere with critical patient care.

According to Cynerio, some of the more severe attack scenarios ranked as high as a 9.8 CVE score, which is a measure out of 10 used to classify cyber security threats.

There was no evidence the vulnerabilities, which were in the Homebase Server’s JavaScript and API implementation, have been so far exploited.

It’s understood robot manufacturer Aethon issued patches to its customers’ hospitals before the vulnerabilities were made public.

“These vulnerabilities required a very low skill set for exploitation, no special privileges, and no user interaction to be successfully leveraged in an attack,” Mr Brass said.

“If attackers were able to exploit JekyllBot: 5, they could have completely taken over system control, gained access to real-time camera feeds and device data, and wreaked havoc and destruction at hospitals using the robots.”

He added that hospitals are urged to update their robots’ firmware in order to guard against potential attacks.

The Royal Melbourne Hospital and Epworth Hospital have been contacted for comment. None had not responded at the time of publishing.

Aethon, which is headquartered in Pennsylvania, was contacted for comment.

Last week a statement from the company said it had been told of the flaws before it was made public by the US’s CISA.

“Aethon was informed of a potential cyber security vulnerability prior to it being published by CISA, as is their standard practice, and it was mitigated by a system patch prior to the notification. No vulnerability was actually exploited at any of our sites,” a spokesman said.

More related stories

Technology

Price hikes boost NBN Co’s earnings

NBN price hikes have pushed more Australians into plans with higher internet speeds, lifting the government-owned telco’s half year earnings more than 7 per cent.

Read more

Technology

Computershare hikes dividend on earnings beat

Shares hit record high after dividend hike and better than expected profit spike.

Read more