Attackers who exploit critical security vulnerabilities in Swisslog’s TransLogic Pneumatic Tube System (PTS) could potentially reroute or shut down the automated delivery of medications and other vital items around hospitals.
Swisslog has urged healthcare facilities to update their systems after releasing a firmware update today (August 2) that addresses all but one of nine flaws discovered by researchers from cybersecurity firm Armis.
TransLogic PTS is used in more than 80% of North American hospitals and more than 3,000 healthcare facilities worldwide, according to Swisslog.
The system transports medications, blood products, lab samples, and test results around facilities within cylindrical containers via a network of pneumatic tubes.
‘PwnedPiper’
The vulnerabilities were found in the Nexus Control Panel, which powers all Translogic PTS stations.
Dubbed ‘PwnedPiper’, the vulnerabilities “can enable an unauthenticated attacker to take over Translogic PTS stations and essentially gain complete control over the PTS network of a target hospital”, reads a blog post published by Armis.
From there, attackers could launch denial-of-service attacks, ransomware attacks, or manipulator-in-the-middle (MitM) attacks that redirect carriers containing vital medical items.
TransLogic PTS can also transport urgent items at comparatively high speeds and sensitive items, such as blood products, more slowly.
“If an attacker were to compromise the PTS system, he may alter the system’s speed restrictions, which can in turn damage such sensitive items,” warns Armis.
Prolonged shutdown
The most severe vulnerability (CVE-2021-37160), which Armis said remains unpatched, could see an attacker achieve remote code execution (RCE) and maintain persistence on the target device after initiating a firmware update procedure.
This is possible because a design flaw means firmware upgrades lack encryption, authentication, and cryptographic signature mechanisms.
Remediating such an attack with manual firmware upgrades “will take considerable time and effort”, notes Armis, and many hospitals lack contingency plans for handling a prolonged shutdown of PTS systems.
The threat is exacerbated further by the system’s integration with other hospital systems such as Swisslog’s WhoTube access control system.
In exploiting four memory corruption vulnerabilities in the TLP20 control protocol (CVE-2021-37161, CVE-2021-37162, CVE-2021-37165, CVE-2021-37164), an attacker could potentially achieve RCE, and thereafter harvest employees’ RFID credentials.
They could also perform reconnaissance on the PTS network, seize control of all Nexus stations, and “hold them hostage in a sophisticated ransomware attack,” said Armis.
The vulnerabilities also include two privilege escalation flaws arising from hardcoded passwords (CVE-2021-37163 and CVE-2021-37167), and a denial-of-service vulnerability (CVE-2021-37166).
Patch now
Armis alerted Swisslog to the vulnerabilities on May 1, 2021.
With the researchers’ help, Swisslog has released firmware version 7.2.5.7 and mitigations in security advisories addressing each flaw.
All previous firmware versions are susceptible to the flaws.
Armis says it expects CVE-2021-37160 to be patched in a future release.
Armis says PTS systems have hitherto been overlooked by security researchers despite the critical role they play in healthcare settings.
“Understanding that patient care depends not only on medical devices, but also on the operational infrastructure of a hospital is an important milestone to securing healthcare environments,” said Nadir Izrael, co-founder and CTO at Armis.
Armis security researchers Ben Seri and Barak Hadad will present the PwnedPiper research at Black Hat USA later this week.
Armis, whose flagship product is an agentless device security platform, has also published a technical white paper (PDF) on the research.
The Daily Swig has contacted Swisslog for further comment and we will update this article should we receive a response.
