Tucked behind the interior walls of thousands of hospitals in the US are little-known networks of air-pressurized tube systems that transport medications, bloodwork, and test samples among hospital departments, lab, and the operating room. One of the most popular of these so-called pneumatic tube system (PTS) stations recently was found to be harboring several vulnerabilities that attackers could exploit to wage disruptive attacks on this critical hospital delivery system or to steal or leak sensitive personal information on hospital employees.

Researchers at Armis discovered the flaws in the control panel of Swisslog Healthcare's TransLogic PTS system, a transport system used in more than 3,000 hospitals worldwide. An attacker could exploit the flaws in the TransLogic Nexus Control Panel, which runs the PTS stations, without authenticating to the network, according to Ben Seri, vice president of research at Armis, who along with researcher Barak Hadad will detail their findings this week at Black Hat USA in Las Vegas.

An older model of Swisslog's TransLogic PTS, its IQ station model that was sunsetted in 2017, also contains some of the flaws. That system is no longer supported by the vendor, so Swisslog customers should upgrade to the newer product, according to Armis.

The researchers have dubbed the flaws they found in Swisslog's Nexus Control Panel "PwndPiper." The vulnerabilities include two hard-coded passwords of user and root accounts that are accessible via default and fixed telnet access on the control panel (CVE-2021-37163) and four memory corruption flaws in the system's native TLP20 control protocol implementation that could be used for remote code execution and denial-of-service attacks. These are buffer- and stack overflow-type flaws and have been reported as CVE-2021-37161, CVE-2021-37162, CVE-2021-37165, and CVE-2021-37164.

Nexus Control Panel also contains a privilege escalation flaw that could allow root access via telnet and hard-coded credentials to gain root access (CVE-2021-37167), and a denial-of-service (DoS) flaw (CVE-2021-37166) in the graphical user interface on the control panel that could allow an attacker to wage a DoS by impersonating GUI commands. The Nexus Control Panel also contains a design flaw that allows unsigned, as well as unauthenticated and unencrypted, firmware updates (CVE-2021-37160) to the system, the researchers found.

Seri says if an attacker hacks a Nexus station via any of these flaws, they could wrest control of all Nexus stations on the PTS network and wage a ransomware attack, for instance, or steal data from the stations, including employee RFID credentials as well as other intelligence about the PTS's physical configuration.

"The Nexus Control Panel powers the stations on-premises. Once you compromise a station, without [needing] credentials, you can harvest any employee credentials to access these systems," including their RFID cards that open doors at the hospital building, he says.

Meanwhile, Swisslog today issued a software update for the firmware, v7.2.5.7, which patches all but one of the vulnerabilities, CVE-2021-37160, the unsigned firmware issue. The vendor for now is providing mitigation steps for that vuln.

"In May, cyber security platform provider Armis approached us to share that it found some potential vulnerabilities to our TransLogic firmware that drives a specific panel in some pneumatic tube systems if a bad actor was first able to successfully gain access to a hospital's secure network, know and understand the pathway from there to the panel, and then leverage the vulnerabilities," a Swisslog spokesperson said in a statement provided to Dark Reading. "We immediately started collaborating on both short-term mitigation and long-term fixes."

Swisslog said in its advisory issued today that the firmware flaws affect the HMI-3 circuit board in the Nexus Panels when the systems are Ethernet-connected, and the affected systems are mostly used in hospitals in North America. An attacker would need access to the victim's IT network to exploit the vulnerabilities, according to Swisslog.

While Armis and Swisslog say they worked closely on the remediation and disclosure of the vulnerabilities, they still disagree on the total number of flaws. Armis says the eight CVEs account for nine flaws it discovered (it points to the two hard-coded passwords in CVE-2021-37163), but Swisslog says Armis counted nine after considering "one vulnerability could have more than one impact and is claiming it as two vulnerabilities," according to a Swisslog spokesperson.

Armis' Seri describes it this way: "So these two accounts that have hard-coded passwords were assigned a single CVE. Swisslog removed one of these accounts — the user — but the root account still remained in the firmware after the patch. For that reason, it is clear these are separate vulnerabilities since they will have two separate solutions."

Yet Another IoT/OT Security Risk
Swisslog's Nexus Station devices are based on an older version of the Linux kernel, v2.6, and managed by a Windows-based central server that sits atop the entire PTS network. Among the features of the network are secure transfers of delivery, using the employee's RFID and password, and email and SMS alerts upon delivery of a container.

"Ten years ago, these systems were mainly used for testing," Seri says. "But now they are more integrated with the hospital and relying more on them for medicine and blood units," so disruption of them would be serious.

The Swisslog system had in its production version a hard-coded password "left inadvertently" from a developer of the system, notes Seri, and it could be used via telnet to run code remotely on the system.

PTS systems are yet another once-isolated physical system ultimately found to be prone to cyberattacks after joining the IP-based network infrastructure. They've traditionally been "secure" because of their obscurity, he notes.

"I do think this should be a wakeup call for a hospital to go ahead and finish up the segmentation" on it network, Seri says. "Most have segmented it for their medical devices, but other systems that are not as directly connected to patients" still affect patient care and need to be segmented and secured, he says.

"The central server and all stations can talk to [those] devices and should not talk to any other device on the network," for instance, he says.

Armis today published the technical details of its findings.