Researchers have identified nine critical vulnerabilities in the pneumatic tube system (PTS) used by 80% of hospitals in North America and 3,000 hospitals worldwide, putting them at heightened risk of ransomware attacks.
The vulnerabilities – discovered in Swisslog Healthcare’s Translogic PTS by researchers from security platform Armis – were found in the Nexus Control Panel, which powers all current models of the Translogic PTS stations.
The system plays a crucial role in patient care and is considered critical healthcare infrastructure as it is responsible for transporting medications, blood products, lab samples and other materials throughout hospitals via a network of automated pneumatic tubes.
By exploiting the nine vulnerabilities – collectively dubbed PwnedPiper – attackers would be able to take over PTS stations and gain full control over a target hospital’s tube network, in turn allowing them to launch ransomware attacks by deliberately re-routing materials to disrupt a hospitals workflow, or even halting the systems operation altogether.
Because the network-connected PTS integrates with other hospital systems, a breach could also allow the information shared between these systems to be leaked or manipulated by an attacker.
All of the vulnerabilities – which include four memory corruption bugs, a faulty graphical user interface (GUI) socket, and hardcoded passwords being accessible – can be triggered by sending unauthenticated network packets, without any user-interaction.
The most serious vulnerability, according to Armis, is a design flaw in which firmware upgrades on the Nexus Control Panel are unencrypted, unauthenticated and do not require any cryptographic signature, allowing an attacker to gain unauthenticated remote code execution by initiating a firmware update procedure while maintaining persistence on the device.
“Armis disclosed the vulnerabilities to Swisslog on 1 May 2021, and has been working with the manufacturer to test the available patch and ensure proper security measures will be provided to customers,” said Ben Seri, Armis vice-president of research, who leads the team that discovered the vulnerabilities.
“With so many hospitals reliant on this technology ,we’ve worked diligently to address these vulnerabilities to increase cyber resiliency in these healthcare environments where lives are on the line.”
In a statement about the discovery of the vulnerabilities, Swisslog said it immediately started collaborating with Armis on both short-term mitigation and long-term fixes.
“A software update for all but one of the vulnerabilities has been developed, and specific mitigation strategies for the remaining vulnerability are available for customers. Swisslog Healthcare has already begun rolling out these solutions and will continue to work with its customers and affected facilities,” it said.
“We will continue to hold security as a top-tier priority to collaborate with our customers on operational technology within the hospital.”
In a security advisory published by Swisslog, the firm outlined the steps it had taken with Armis to address the vulnerabilities, which included evaluating the firmware to fully assess the implications, replicating the vulnerabilities in a test lab environment, and initiating customer contact to support hospital security teams as they implement mitigation strategies.
The vulnerability not yet solved is the potential for an unauthenticated firmware upgrade, which Armis said is the most serious. It is, however, expected to be patched in a future release.
Despite the prevalence of internet-connected PTS and hospitals’ reliance on them to deliver care, Armis claims the security of these systems has never been thoroughly analysed or researched.
“This research sheds light on systems that are hidden in plain sight, but are nevertheless a crucial building block to modern-day healthcare,” said Nadir Izrael, co-founder and CTO at Armis. ”Understanding that patient care depends not only on medical devices, but also on the operational infrastructure of a hospital, is an important milestone to securing healthcare environments.”
Armis has listed a number of mitigation steps in a blog post about its Translogic PTS research, which includes deploying access control lists and using specific Snort intrusion detection system (IDS) rules to discover exploitation attempts.
“Other than these specific steps, hardening the access to sensitive systems such as PTS solutions through the use of network segmentation, and limiting access to such devices through strict Firewall rules, is always good practice that should be in use,” it said.
“Hospitals don’t necessarily have any contingency in place to handle a prolonged shutdown of the PTS system, which ultimately may translate to harm to patient care.”