Nine critical vulnerabilities were found in the Swisslog Healthcare Translogic Pneumatic Tube System (PTS) stations’ Nexus Control Panel, which are utilized in over 80% of big hospitals in the U.S.A. Pneumatic tube systems are employed to quickly send out test samples and prescription drugs near hospitals and the unsecured PTS stations are found in 3,000 hospitals around the world, which include 2,300 in the U.S.A.
The researchers at Armis Security discovered the vulnerabilities called ‘PwnedPiper.’ Overall, there were 9 critical vulnerabilities found in the Nexus Control Panel. The firmware of all present units of Translogic PTS stations is impacted.
The vulnerabilities found by the researchers are well-known in Internet of Things (IoT) devices, however, are much more problematic in pneumatic tube systems, which form part of the critical infrastructure of hospitals. The Armis researchers stated that these systems are common in hospitals, nevertheless, they were completely examined or researched.
A threat actor can exploit the vulnerabilities to bring about a denial of service, gather sensitive information such as employees’ RFID credentials, and execute reconnaissance to determine the capabilities or location of the stations, and acquire an awareness of the physical structure of the PTS network. The vulnerabilities can likewise be taken advantage of in a ransomware attack.
The vulnerabilities found to consist of the usage of hard-coded passwords, privilege escalation vulnerabilities, memory corruption vulnerabilities, unencrypted connections, remote code execution vulnerabilities, and unauthenticated updates of the firmware. An attacker that exploits the vulnerabilities could get total control of the hospital’s Nexus stations.
Armis co-founder and CTO, Nadir Izrael, stated that this research shows systems not seen in plain sight yet still a critical building block to present-day medical care. Knowing that patient care relies not just on medical devices, but on the functional infrastructure of a hospital, as well, is an essential development to protecting healthcare systems.
The researchers explained a scenario wherein the vulnerabilities can be used to deploy ransomware. Initially, an attacker would get a footing in the hospital system. This may just be exploiting a low-grade IoT device, like a hospital IP camera, vulnerability. When network access is acquired, the Translogic PTS can be attacked because it is linked to hospital systems. Any one of the 5 vulnerabilities can then be used to attain remote code delivery in an attack that can impact all Nexus stations, either by utilizing ransomware or just closing down stations.
In this unpredictable condition, the hospital’s operations could be significantly derailed. Medicines delivered to departments, prompt distribution of laboratory samples, and providing blood units to operating rooms are all based on the regular accessibility of the PTS.
Armis showed the results at Black Hat USA. 8 of the 9 vulnerabilities found in Nexus Control Panel version 220.127.116.11 had been patched by Swisslog Healthcare. One last vulnerability will be resolved in the coming release. The last vulnerability monitored as CVE-2021-37160, impacts legacy systems and is because of the insufficient firmware validation during a file upload for a firmware update.
There were no identified instances of vulnerabilities exploitation. Swisslog Healthcare has recommended mitigations and fixes in its security advisory for hospitals that cannot update to the most recent Nexus Control Panel version