PwnedPiper vulns have potential to turn Swisslog's PTS hospital products into Swiss cheese, says Armis

Security specialist Armis has discovered vulnerabilities, collectively dubbed PwnedPiper, in pneumatic tube control systems used in thousands of hospitals worldwide – including 80 per cent of the major hospitals found in the US.

The researcher spotted the PwnedPiper vulnerabilities in Swisslog's Nexus stations for its Translogic Pneumatic Tube System (PTS) product – a connected control system for the delivery tubes which send medicines, samples, blood products, and paperwork whizzing around a hospital. The vulnerabilities have not been exploited in the wild, Armis added.

The systems include hardcoded passwords for both user and administrative accounts which can be accessed over an unencrypted Telnet connection – enabled by default, with no way for an end user to disable it, Armis said. However, in the context of the Nexus Control Panel, the Telnet service is actually not used in production, it added.

If, somehow, the attacker wasn't aware of the hardcoded root-user password, another vulnerability – caused by running a user-accessible script as root – would allow them to elevate their privileges from a standard user to full control of the system, said Armis.

Four additional memory corruption vulnerabilities – one underflow, two overflows, and an off-by-three overflow – in the TLP20 protocol implementation used by the Nexus systems render the above relatively pointless by permitting both denial-of-service and remote code execution attacks. Yet another vulnerability in the graphical user interface allows for control connections to be hijacked.

"The PTS system supports variable speed transactions which, on the one hand allow for express shipment of urgent items," the researchers said, "while on the other, enable the slow transfer of sensitive items, such as blood products, that may be harmed if jolted too quickly within the tubes. If an attacker were to compromise the PTS system, he may alter the system's speed restrictions, which can in turn damage such sensitive items.

"Compromising the PTS network can allow an attacker to control the paths of the carriers' transactions, by acting as a man-in-the-middle, and altering the requested destinations of the carriers when a transaction request is sent to the PTS network central server. Combining one or more of the described primitives above can allow for a devastating ransomware attack to be unleashed. The attacker can either re-route carriers, derailing the operations of the hospital, or halt the system altogether," the infosec researcher claimed.

Another issue is that access to the PTS control systems can offer attackers a way into other parts of the hospital. "By compromising a Nexus station, an attacker can leverage it for reconnaissance purposes," the researchers warned, "including harvesting data from the station such as RFID credentials of any employee that uses the PTS system, details about each station's functions or location, as well as gain[ing] an understanding of the physical layout of the PTS network."

Ransomware groups are known for targeting medical facilities: hospitals in New Zealand, Ireland, the UK and US, and Germany have all reported ransomware attacks over the last twelve months – with blame for a patient's death pinned on the latter infection.

• New Zealand hospitals infected by ransomware, cancel some surgeries
• Hospitals cancel outpatient appointments as Irish health service struck by ransomware
• UK, US hospital computers are down, early unofficial diagnosis is a suspected outbreak of Ryuk ransomware
• Woman dies after hospital is unable to treat her during crippling ransomware infection, cops launch probe

Armis disclosed a final vulnerability in the firmware update process itself – which it said requires no authentication, does not require any form of signature or hash validation, and uses files which are in no way encrypted.

"This is the most severe vulnerability since it can allow an attacker to gain unauthenticated remote-code-execution by initiating a firmware update procedure while also maintaining persistence on the device," the researchers warned, "allowing him to hold the stations hostage until a ransom is paid."

Ben Seri, vice president of research and leader of the team which discovered the vulnerabilities, told us: "Armis disclosed the vulnerabilities to Swisslog on May 1, 2021 and has been working with the manufacturer to ensure proper security measures and patches will be provided to customers. With so many hospitals reliant on this technology we've worked diligently to address these vulnerabilities to increase cyber resiliency in these healthcare environments, where lives are on the line."

Seri said Swisslog has worked on remediation efforts and a patch, v7.2.5.7, was readied for today.

"This patch addresses 8 of the 9 vulnerabilities that Armis have identified. Although, there is [an] still issue for legacy systems, which the patch won't be available for, and therefore those hospitals are encouraged to upgrade their systems as soon as possible," he told us.

The Register asked Swisslog to comment on the vulnerabilities and on the certification process its PTS products went through before being sold into hospitals. The company sent us a statement:

"In May, cyber security platform provider Armis approached us to share that it found some potential vulnerabilities to our TransLogic firmware that drives a specific panel in some pneumatic tube systems if a bad actor was first able to successfully break into a hospital’s secure network, know and understand the pathway from there to the panel, and then leverage the vulnerabilities.

"We immediately started collaborating on both short-term mitigation and long-term fixes. A software update for all but one of the vulnerabilities has been developed, and specific mitigation strategies for the remaining vulnerability are available for customers. Swisslog Healthcare has already begun rolling out these solutions and will continue to work with its customers and affected facilities. Our commitment to security as an organizational priority has prepared us to address these types of issues with efficiency and transparency."

Seri is to present Armis's research at the Black Hat conference this week, with researcher Barak Hadad. More details on the vulnerabilities can be found on the Armis website and Swisslogs' advisory is here. ®