PwnedPiper vulns have potential to turn Swisslog's PTS hospital products into Swiss cheese, says Armis

Hardcoded passwords, unencrypted connections and unauthenticated firmware updates... patches released

Security specialist Armis has discovered vulnerabilities, collectively dubbed PwnedPiper, in pneumatic tube control systems used in thousands of hospitals worldwide – including 80 per cent of the major hospitals found in the US.

The researcher spotted the PwnedPiper vulnerabilities in Swisslog's Nexus stations for its Translogic Pneumatic Tube System (PTS) product – a connected control system for the delivery tubes which send medicines, samples, blood products, and paperwork whizzing around a hospital. The vulnerabilities have not been exploited in the wild, Armis added.

The systems include hardcoded passwords for both user and administrative accounts which can be accessed over an unencrypted Telnet connection – enabled by default, with no way for an end user to disable it, Armis said. However, in the context of the Nexus Control Panel, the Telnet service is actually not used in production, it added.

If, somehow, the attacker wasn't aware of the hardcoded root-user password, another vulnerability – caused by running a user-accessible script as root – would allow them to elevate their privileges from a standard user to full control of the system, said Armis.

Four additional memory corruption vulnerabilities – one underflow, two overflows, and an off-by-three overflow – in the TLP20 protocol implementation used by the Nexus systems render the above relatively pointless by permitting both denial-of-service and remote code execution attacks. Yet another vulnerability in the graphical user interface allows for control connections to be hijacked.

"The PTS system supports variable speed transactions which, on the one hand allow for express shipment of urgent items," the researchers said, "while on the other, enable the slow transfer of sensitive items, such as blood products, that may be harmed if jolted too quickly within the tubes. If an attacker were to compromise the PTS system, he may alter the system's speed restrictions, which can in turn damage such sensitive items.

"Compromising the PTS network can allow an attacker to control the paths of the carriers' transactions, by acting as a man-in-the-middle, and altering the requested destinations of the carriers when a transaction request is sent to the PTS network central server. Combining one or more of the described primitives above can allow for a devastating ransomware attack to be unleashed. The attacker can either re-route carriers, derailing the operations of the hospital, or halt the system altogether," the infosec researcher claimed.

Another issue is that access to the PTS control systems can offer attackers a way into other parts of the hospital. "By compromising a Nexus station, an attacker can leverage it for reconnaissance purposes," the researchers warned, "including harvesting data from the station such as RFID credentials of any employee that uses the PTS system, details about each station's functions or location, as well as gain[ing] an understanding of the physical layout of the PTS network."

Ransomware groups are known for targeting medical facilities: hospitals in New Zealand, Ireland, the UK and US, and Germany have all reported ransomware attacks over the last twelve months – with blame for a patient's death pinned on the latter infection.

Armis disclosed a final vulnerability in the firmware update process itself – which it said requires no authentication, does not require any form of signature or hash validation, and uses files which are in no way encrypted.

"This is the most severe vulnerability since it can allow an attacker to gain unauthenticated remote-code-execution by initiating a firmware update procedure while also maintaining persistence on the device," the researchers warned, "allowing him to hold the stations hostage until a ransom is paid."

Ben Seri, vice president of research and leader of the team which discovered the vulnerabilities, told us: "Armis disclosed the vulnerabilities to Swisslog on May 1, 2021 and has been working with the manufacturer to ensure proper security measures and patches will be provided to customers. With so many hospitals reliant on this technology we've worked diligently to address these vulnerabilities to increase cyber resiliency in these healthcare environments, where lives are on the line."

Seri said Swisslog has worked on remediation efforts and a patch, v7.2.5.7, was readied for today.

"This patch addresses 8 of the 9 vulnerabilities that Armis have identified. Although, there is [an] still issue for legacy systems, which the patch won't be available for, and therefore those hospitals are encouraged to upgrade their systems as soon as possible," he told us.

The Register asked Swisslog to comment on the vulnerabilities and on the certification process its PTS products went through before being sold into hospitals. The company sent us a statement:

"In May, cyber security platform provider Armis approached us to share that it found some potential vulnerabilities to our TransLogic firmware that drives a specific panel in some pneumatic tube systems if a bad actor was first able to successfully break into a hospital’s secure network, know and understand the pathway from there to the panel, and then leverage the vulnerabilities.

"We immediately started collaborating on both short-term mitigation and long-term fixes. A software update for all but one of the vulnerabilities has been developed, and specific mitigation strategies for the remaining vulnerability are available for customers. Swisslog Healthcare has already begun rolling out these solutions and will continue to work with its customers and affected facilities. Our commitment to security as an organizational priority has prepared us to address these types of issues with efficiency and transparency."

Seri is to present Armis's research at the Black Hat conference this week, with researcher Barak Hadad. More details on the vulnerabilities can be found on the Armis website and Swisslogs' advisory is here. ®

Similar topics

Other stories you might like

  • Google opens the pod doors on Bay View campus
    A futuristic design won't make people want to come back – just ask Apple

    After nearly a decade of planning and five years of construction, Google is cutting the ribbon on its Bay View campus, the first that Google itself designed.

    The Bay View campus in Mountain View – slated to open this week – consists of two office buildings (one of which, Charleston East, is still under construction), 20 acres of open space, a 1,000-person event center and 240 short-term accommodations for Google employees. The search giant said the buildings at Bay View total 1.1 million square feet. For reference, that's less than half the size of Apple's spaceship. 

    The roofs on the two main buildings, which look like pavilions roofed in sails, were designed that way for a purpose: They're a network of 90,000 scale-like solar panels nicknamed "dragonscales" for their layout and shimmer. By scaling the tiles, Google said the design minimises damage from wind, rain and snow, and the sloped pavilion-like roof improves solar capture by adding additional curves in the roof. 

    Continue reading
  • Pentester pops open Tesla Model 3 using low-cost Bluetooth module
    Anything that uses proximity-based BLE is vulnerable, claim researchers

    Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor.

    Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has been paired with a Tesla back to the vehicle. Far from simply unlocking the door, this hack lets a miscreant start the car and drive away, too.

    Essentially, what happens is this: the paired smartphone should be physically close by the Tesla to unlock it. NCC's technique involves one gadget near the paired phone, and another gadget near the car. The phone-side gadget relays signals from the phone to the car-side gadget, which forwards them to the vehicle to unlock and start it. This shouldn't normally happen because the phone and car are so far apart. The car has a defense mechanism – based on measuring transmission latency to detect that a paired device is too far away – that ideally prevents relayed signals from working, though this can be defeated by simply cutting the latency of the relay process.

    Continue reading
  • Google assuring open-source code to secure software supply chains
    Java and Python packages are the first on the list

    Google has a plan — and a new product plus a partnership with developer-focused security shop Snyk — that attempts to make it easier for enterprises to secure their open source software dependencies.

    The new service, announced today at the Google Cloud Security Summit, is called Assured Open Source Software. We're told it will initially focus on some Java and Python packages that Google's own developers prioritize in their workflows. 

    These two programming languages have "particularly high-risk profiles," Google Cloud Cloud VP and GM Sunil Potti said in response to The Register's questions. "Remember Log4j?" Yes, quite vividly.

    Continue reading

Biting the hand that feeds IT © 1998–2022