Researchers at Armis have announced the discovery of nine critical vulnerabilities in the Nexus Control Panel, which powers all current models of Translogic’s pneumatic tube system (PTS) stations by Swisslog Healthcare. The Translogic PTS system is a critical infrastructure for healthcare used in more than 3,000 hospitals worldwide, responsible for delivering medications, blood products, and various lab samples across multiple departments of a hospital.
The discovered vulnerabilities can enable an unauthenticated attacker to take over PTS stations and gain full control over the tube network of a target hospital. This type of control could enable sophisticated ransomware attacks that can range from denial-of-service of this critical infrastructure to full-blown man-in-the-middle attacks that can alter the paths of the networks’ carriers, resulting in deliberate sabotage of the workings of the hospital.
Modern PTS systems are IP-connected, and offer advanced features, but, despite the prevalence of these systems, and the reliance of hospitals on their availability to deliver care, the security of these systems has never been thoroughly analysed or researched.
“This research sheds light on systems that are hidden in plain sight but are nevertheless a crucial building block to modern-day healthcare,” said Nadir Izrael, co-founder and CTO at Armis. “Understanding that patient care depends not only on medical devices, but also on the operational infrastructure of a hospital is an important milestone to securing healthcare environments.”
Five of the discovered PwnedPiper vulnerabilities can be used to reach remote-code-execution and by gaining access to a hospital’s network, an unauthenticated attacker can use one of these to take over Nexus stations. By compromising a Nexus station, an attacker can leverage it for reconnaissance purposes, including harvesting data from the station such as RFID credentials of any employee that uses the PTS system, details about each station’s functions or location, as well as gain an understanding of the physical layout of the PTS network. From there, an attacker can take over all Nexus stations in the tube network, and hold them hostage in a sophisticated ransomware attack.
“Armis disclosed the vulnerabilities to Swisslog on May 1, 2021, and has been working with the manufacturer to test the available patch and ensure proper security measures will be provided to customers,” said Ben Seri, Armis VP of Research, who leads the team that discovered the vulnerabilities. “With so many hospitals reliant on this technology we’ve worked diligently to address these vulnerabilities to increase cyber resiliency in these healthcare environments, where lives are on the line.”
Ben Seri and Barak Hadad will present their research on PwnedPiper at this year’s Black Hat USA on Wednesday, August 4th, and Thursday, August 5th. Find more details here.