Security specialist Armis has discovered vulnerabilities, collectively dubbed PwnedPiper, in pneumatic tube control systems used in thousands of hospitals worldwide – including 80 per cent of the major hospitals found in the US.
The researcher spotted the PwnedPiper vulnerabilities in Swisslog's Nexus stations for its Translogic Pneumatic Tube System (PTS) product – a connected control system for the delivery tubes which send medicines, samples, blood products, and paperwork whizzing around a hospital. The vulnerabilities have not been exploited in the wild, Armis added.
The systems include hardcoded passwords for both user and administrative accounts which can be accessed over an unencrypted Telnet connection – enabled by default, with no way for an end user to disable it, Armis said. However, in the context of the Nexus Control Panel, the Telnet service is actually not used in production, it added.