Researchers from security firm Armis detected a set of nine critical vulnerabilities, dubbed PwnedPiper, affecting the Nexus Control Panel, which powers all current stations of Swisslog Healthcare’s Translogic Pneumatic Tube System (PTS).
PwnedPiper vulnerabilities can enable an unauthenticated attacker to take over Translogic PTS stations and gain complete control over the PTS network of a target hospital, according to Armis research. Such controls could enable sophisticated and worrisome ransomware attacks, as well as allow attackers to leak sensitive hospital information. Older IP-connected Translogic stations are also impacted but are no longer supported by Swisslog.
Translogic is an advanced PTS offering, deployed across over 80 percent of hospitals in North America and in over 3,000 hospitals worldwide. The PTS systems play a crucial role in patient care and are utilized nearly 100 percent of the time.
Armis reported the PwnedPiper vulnerabilities to Swisslog in May and has worked with them to fully understand the impact of the weaknesses, develop and test a patch that would remediate them, and develop mitigation steps until a patch is installed.
In its statement on Monday, Swisslog Healthcare said that the security vulnerabilities in the TransLogic firmware are limited to the HMI-3 circuit board inside of Nexus panels when connected using an Ethernet connection.
Jennie McQuade, chief privacy officer for Swisslog Healthcare, notes that vulnerabilities only exist when a combination of variables exists. “The potential for pneumatic tube stations (where the firmware is deployed) to be compromised is dependent on a bad actor who has access to the facility’s information technology network and who could cause additional damage by leveraging these exploits,” according to the statement.
“The PTS solutions are vital to hospital operations as they automate logistics and the transport of materials throughout the hospital and are used for various applications, including transferring various specimens from all departments of the hospital to centrally located laboratories, for testing,” Ben Seri and Barak Hadad, Armis executives wrote in the research. “It is also used for distributing medicine from the hospital’s pharmacy to all departments, and distributing blood units from the hospital’s blood bank to operation rooms.”
PTS systems use a star architecture in which various components, such as stations, blowers and diverters, are connected to a central management server that monitors and manages the overall system. The central server monitors the current state of the system and orchestrates the operation of the components so that capsules are transferred efficiently throughout the system.
Swisslog has also acknowledged that older station models that are IP-connected, such as the IQ station, share code with the Nexus Control Panel, and are likely to be impacted by some of the vulnerabilities, as well. For the Nexus Control Panel, Swisslog is providing its customers a new version that mitigates the majority of the vulnerabilities – version 22.214.171.124. One remaining vulnerability is currently unresolved by the latest version and is expected to be patched in a future release.
Armis’s research sheds light on systems that are hidden in plain sight but are nevertheless crucial building blocks to modern-day healthcare. Understanding that patient care depends not only on medical devices but also on the operational infrastructure of a hospital is an important milestone to securing healthcare environments.
“While the transition of analog systems to digital brings progress to all sorts of applications, including to a variety of infrastructure solutions used in healthcare, it is important to transition the security mindset of such systems in the process as well. When critical infrastructures, such as pneumatic tube systems that play a crucial role in providing patient care, are in mind, this requirement needs to be even more imperative,” Armis wrote in a whitepaper on the PwnedPiper vulnerabilities.
While patching the vulnerable Translogic PTS stations is essential, external mitigations can also be useful for detection and preventing attacks on these systems.
Users have been advised to block any use of Telnet (port 23) on the Translogic PTS stations (the Telnet service is not required in production), and deploy access control lists (ACLs), in which Translogic PTS components are only allowed to communicate with the Translogic central server (SCC), Armis said.
Other than these specific steps, hardening the access to sensitive systems such as PTS solutions, through the use of network segmentation, and limiting access to such devices through strict firewall rules, is always good practice, which should be in use, it added.