Attacks and Vulnerabilities
Critical infrastructure
Industrial Cyber Attacks
Malware, Phishing & Ransomware
News
Threat Landscape
Vulnerabilities

Armis finds PwnedPiper flaws in Swisslog’s Translogic PTS, affecting hospital networks

August 03, 2021

Researchers from security firm Armis detected a set of nine critical vulnerabilities, dubbed PwnedPiper, affecting the Nexus Control Panel, which powers all current stations of Swisslog Healthcare’s Translogic Pneumatic Tube System (PTS). 

PwnedPiper vulnerabilities can enable an unauthenticated attacker to take over Translogic PTS stations and gain complete control over the PTS network of a target hospital, according to Armis research. Such controls could enable sophisticated and worrisome ransomware attacks, as well as allow attackers to leak sensitive hospital information. Older IP-connected Translogic stations are also impacted but are no longer supported by Swisslog. 

Translogic is an advanced PTS offering, deployed across over 80 percent of hospitals in North America and in over 3,000 hospitals worldwide. The PTS systems play a crucial role in patient care and are utilized nearly 100 percent of the time.

Armis reported the PwnedPiper vulnerabilities to Swisslog in May and has worked with them to fully understand the impact of the weaknesses, develop and test a patch that would remediate them, and develop mitigation steps until a patch is installed.

In its statement on Monday, Swisslog Healthcare said that the security vulnerabilities in the TransLogic firmware are limited to the HMI-3 circuit board inside of Nexus panels when connected using an Ethernet connection. 

Jennie McQuade, chief privacy officer for Swisslog Healthcare, notes that vulnerabilities only exist when a combination of variables exists. “The potential for pneumatic tube stations (where the firmware is deployed) to be compromised is dependent on a bad actor who has access to the facility’s information technology network and who could cause additional damage by leveraging these exploits,” according to the statement. 

“The PTS solutions are vital to hospital operations as they automate logistics and the transport of materials throughout the hospital and are used for various applications, including transferring various specimens from all departments of the hospital to centrally located laboratories, for testing,” Ben Seri and Barak Hadad, Armis executives wrote in the research. “It is also used for distributing medicine from the hospital’s pharmacy to all departments, and distributing blood units from the hospital’s blood bank to operation rooms.”

PTS systems use a star architecture in which various components, such as stations, blowers and diverters, are connected to a central management server that monitors and manages the overall system. The central server monitors the current state of the system and orchestrates the operation of the components so that capsules are transferred efficiently throughout the system.

Swisslog has also acknowledged that older station models that are IP-connected, such as the IQ station, share code with the Nexus Control Panel, and are likely to be impacted by some of the vulnerabilities, as well. For the Nexus Control Panel, Swisslog is providing its customers a new version that mitigates the majority of the vulnerabilities – version 7.2.5.7. One remaining vulnerability is currently unresolved by the latest version and is expected to be patched in a future release.

Armis’s research sheds light on systems that are hidden in plain sight but are nevertheless crucial building blocks to modern-day healthcare. Understanding that patient care depends not only on medical devices but also on the operational infrastructure of a hospital is an important milestone to securing healthcare environments.

“While the transition of analog systems to digital brings progress to all sorts of applications, including to a variety of infrastructure solutions used in healthcare, it is important to transition the security mindset of such systems in the process as well. When critical infrastructures, such as pneumatic tube systems that play a crucial role in providing patient care, are in mind, this requirement needs to be even more imperative,” Armis wrote in a whitepaper on the PwnedPiper vulnerabilities.

While patching the vulnerable Translogic PTS stations is essential, external mitigations can also be useful for detection and preventing attacks on these systems.

Users have been advised to block any use of Telnet (port 23) on the Translogic PTS stations (the Telnet service is not required in production), and deploy access control lists (ACLs), in which Translogic PTS components are only allowed to communicate with the Translogic central server (SCC), Armis said.

Other than these specific steps, hardening the access to sensitive systems such as PTS solutions, through the use of network segmentation, and limiting access to such devices through strict firewall rules, is always good practice, which should be in use, it added.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations