Armis researchers have unearthed critical vulnerabilities in Swisslog Healthcare’s Translogic pneumatic tube system, which plays a crucial role in patient care in more than 3,000 hospitals worldwide (including 80% of hospitals in North America).
Attackers exploiting the vulnerabilities could gain complete control over the PTS network, negatively affect the functioning of the system and, consequently, damage sensitive materials, compromise sensitive information, and interfere with the hospitals’ workflows.
Swisslog PTS vulnerabilities
The Swisslog PTS system automates the transport lab specimens, blood products, lab tests, and medications throughout the hospital via a network of pneumatic tubes. The system also integrates with other hospital systems (e.g., the access control system).
“Modern PTS systems are IP-connected, and offer advanced features, but, despite the prevalence of these systems, and the reliance of hospitals on their availability to deliver care, the security of these systems has never been thoroughly analyzed or researched,” Armis researchers noted.
Their own research uncovered nine vulnerabilities (which they collectively dubbed PwnedPiper) affecting the Translogic Nexus Control Panel, which powers all current models of Translogic pneumatic tube system stations.
These include hardcoded passwords of user and root accounts, a privilege escalation vulnerability that could be exploited to gain root access, memory corruption vulnerabilities that could be used to achieve RCE and mount DoS attacks, a separate DoS vulnerability, and design flaws that allow unencrypted, unauthenticated and unsigned firmware updates on the Nexus Control Panel.
“The most severe of the discovered vulnerabilities (CVE-2021-37160) can allow an attacker to maintain persistence on compromised PTS stations via their unsecure firmware upgrade procedure, allowing him to hold the stations hostage, until a ransom is paid,” the researchers noted.
While such an attack may ultimately be remediated with manual firmware upgrades of all compromised stations, such a process will take considerable time and effort. Hospitals don’t necessarily have any contingency in place, to handle a prolonged shutdown of the PTS system, which ultimately may translate to harm to patient care.”
Other vulnerabilities may allow the attacker to manipulate the system to damage sensitive items transported through it, redirect them to incorrect stations, access staff records and their RFID credentials, trigger false alerts to the sytem’s maintenance crew, and more.
According to the researchers, all of the vulnerabilities can be triggered by sending unauthenticated network packets. Also, no user interaction is required for the attack to succeed.
Fixes and mitigations
Swisslog has delivered fixes for all the vulnerabilities except one (CVE-2021-37160) in the latest software release (v126.96.36.199). The vulnerabilities also affect older IP-connected Translogic stations, but as those are no longer supported by Swisslog, updates for those haven’t been made available.
CVE-2021-37160 will be fixed in a future release of the software.
Aside from implementing the offered update, hospital system administrators can implement several mitigations steps, which include block any use of Telnet on the Translogic PTS stations and deploying access control lists to make Translogic PTS components be able to communicate only with the Translogic central server (SCC).
The researchers have also shared several Snort IDS rules to detect exploitation attempts of some of the vulnerabilities.
Ben Seri, Armis’ VP of Research, and Barak Hadad, a researcher on Ben’s team, will present this reasearch at the Black Hat conference later this week.