UPDATED: Researchers at Armis have discovered nine critical vulnerabilities in the Nexus Control Panel, which powers all current models of Translogic’s pneumatic tube system (PTS) stations by Swisslog Healthcare. The Translogic PTS system is a critical infrastructure for healthcare used in more than 3,000 hospitals worldwide. The system is responsible for delivering medications, blood products, and various lab samples across multiple departments of a hospital. The discovered vulnerabilities can enable an unauthenticated attacker to take over PTS stations and gain full control over the tube network of a target hospital. This type of control could enable sophisticated ransomware attacks that can range from denial-of-service of this critical infrastructure to full-blown man-in-the-middle attacks that can alter the paths of the networks’ carriers, resulting in deliberate sabotage of the workings of the hospital.
Modern PTS systems are IP-connected, and offer advanced features, but, despite the prevalence of these systems, and the reliance of hospitals on their availability to deliver care, the security of these systems has never been thoroughly analysed or researched.
“This research sheds light on systems that are hidden in plain sight but are nevertheless a crucial building block to modern-day healthcare,” said Nadir Izrael, co-founder and CTO at Armis. “Understanding that patient care depends not only on medical devices, but also on the operational infrastructure of a hospital is an important milestone to securing healthcare environments.”
Five of the discovered PwnedPiper vulnerabilities can be used to reach remote-code-execution and by gaining access to a hospital’s network, an unauthenticated attacker can use one of these to take over Nexus stations. By compromising a Nexus station, an attacker can leverage it for reconnaissance purposes, including harvesting data from the station such as RFID credentials of any employee that uses the PTS system, details about each station’s functions or location, as well as gain an understanding of the physical layout of the PTS network. From there, an attacker can take over all Nexus stations in the tube network, and hold them hostage in a sophisticated ransomware attack.
“Armis disclosed the vulnerabilities to Swisslog on May 1, 2021, and has been working with the manufacturer to test the available patch and ensure proper security measures will be provided to customers,” said Ben Seri, Armis VP of Research, who leads the team that discovered the vulnerabilities. “With so many hospitals reliant on this technology we’ve worked diligently to address these vulnerabilities to increase cyber resiliency in these healthcare environments, where lives are on the line.”
Swisslog has also provided a statement about the potential software vulnerabilities and fixes:
“With over 100 years of experience in hospital and health system automation, Swisslog Healthcare unites forward-thinking material transport and pharmacy automation with software and analytics to increase accuracy, traceability, and boost efficiency.
In May, cyber security platform provider Armis approached us to share that it found some potential vulnerabilities to our TransLogic® firmware that drives a specific panel in some pneumatic tube systems if a bad actor was first able to successfully gain access to a hospital’s secure network, know and understand the pathway from there to the panel, and then leverage the vulnerabilities.
We immediately started collaborating on both short-term mitigation and long-term fixes. A software update for all but one of the vulnerabilities has been developed, and specific mitigation strategies for the remaining vulnerability are available for customers. Swisslog Healthcare has already begun rolling out these solutions and will continue to work with its customers and affected facilities. Our commitment to security as an organizational priority has prepared us to address these types of issues with efficiency and transparency.”
More information is available at https://www.swisslog-healthcare.com/en-us/company/news/2021/07/translogic-firmware-vulnerabilities.
For more information, Armis has published a detailed blog to help hospitals navigate the vulnerability at https://www.armis.com/pwnedpiper.
For additional information from Swisslog Healthcare, please see the following security advisory here.