Researchers from the IoT security firm Armis have discovered nine critical vulnerabilities in the Nexus Control Panel which is used to power all current models of Translogic’s pneumatic tube system (PTS) stations by Swisslog Healthcare.
The vulnerabilities have been given the name PwnedPiper and are particularly concerning due to the fact that the Translogic PTS system is used in 3,000 hospitals worldwide including in more than 80 percent of major hospitals in North America. The system is used to deliver medications, blood products and various lab samples across multiple departments at the hospitals where it is used.
The PwnedPiper vulnerabilities can be exploited by an unauthenticated hacker to take over PTS stations and gain full control over a target hospital’s tube network. With this control, cybercriminals could launch ransomware attacks that range from denial-of-service to full-blown man-in-the-middle attacks (MITM) that can alter the paths of a networks’ carriers to deliberately sabotage hospitals.
Despite the prevalence of modern PTS systems that are IP-connected and found in many hospitals, the security of these systems has never been thoroughly analyzed or researched until now.
Of the nine PwnedPiper vulnerabilities discovered by Armis, five of them can be used to achieve remote code execution, gain access to a hospital’s network and take over Nexus stations.
By compromising a Nexus station, an attacker can use it for reconnaissance to harvest data from the station including RFID credentials of employees that use the PTS system, details about the functions or locations of each system and gain an understanding of the physical layout of a hospital’s PTS network. From here, an attacker can take over all Nexus stations in a hospital’s tube network and then hold them hostage in a ransomware attack.
VP of Research at Armis, Ben Seri provided further insight in a press release on how the company worked with Swisslog to patch the PwnedPiper vulnerabilities it discovered, saying:
“Armis disclosed the vulnerabilities to Swisslog on May 1, 2021, and has been working with the manufacturer to test the available patch and ensure proper security measures will be provided to customers. With so many hospitals reliant on this technology we’ve worked diligently to address these vulnerabilities to increase cyber resiliency in these healthcare environments, where lives are on the line.”
Armis will present its research on PwnedPiper at this year’s Black Hat USA security conference and as of now, only one of the nine vulnerabilities remains unpatched.