Armis researchers have identified a set of nine critical vulnerabilities in the leading solution for pneumatic tube systems (PTS) in North America – the Translogic PTS system by Swisslog Healthcare. This system is used in over 80% of hospitals in North America, and installed in more than 3,000 hospitals worldwide. PTS systems play a crucial role in patient care, and are utilized nearly 100% of the time.
Dubbed PwnedPiper, the vulnerabilities allow for complete take over of the Translogic Nexus Control Panel, which powers all current models of Translogic PTS stations. Older IP-connected Translogic stations are also impacted, but are no longer supported by Swisslog.
This blog will provide a high-level overview of this research and its implications. Additional material is available here:
The Swisslog PTS system is vital to hospital operations as it automates logistics and the transport of materials throughout the hospital via a network of pneumatic tubes. The system is designed so that hospitals can provide better patient care with automated material transport that includes highly sensitive materials such as lab specimens, blood products, pathology lab tests, medications, and more. Prior to the use of PTS systems, hospitals were required to transfer the various items manually. Today due to their wide adoption, these systems are vital for proper workflow of hospital operations.
Armis reported the vulnerabilities to Swisslog on May 1, 2021, and has worked with them ever since to fully understand the impact of the vulnerabilities, develop and test a patch that would remediate them, and develop mitigation steps until a patch is installed.
Swisslog Healthcare has released a security advisory today, that is available here.
See our proposed mitigation steps and how the Armis platform detects and mitigates these vulnerabilities below.
These vulnerabilities can enable an unauthenticated attacker to take over Translogic PTS stations and essentially gain complete control over the PTS network of a target hospital. This type of control could enable sophisticated and worrisome ransomware attacks, as well as allow attackers to leak sensitive hospital information.
The Translogic PTS system is an advanced system that integrates with other hospital systems, which may allow the information shared between these systems to be leaked or manipulated by an attacker if the Translogic PTS network were to be compromised.
Here are examples of such advanced features, and the risks they entail:
Lastly, compromising the PTS network can allow an attacker to control the carrier’s paths by acting as a man-in-the-middle, and altering the requested destinations of the carriers when a transaction request is sent to the PTS network’s central server. Combining one or more of the described primitives above can allow for a devastating ransomware attack to be unleashed. The attacker can either re-route carriers, derailing the operations of the hospital, or halt the system altogether. The most severe of the discovered vulnerabilities (CVE-2021-37160) can allow an attacker to maintain persistence on compromised PTS stations via their unsecure firmware upgrade procedure, allowing him to hold the stations hostage until a ransom is paid.
While such an attack may ultimately be remediated with manual firmware upgrades of all compromised stations, such a process will take considerable time and effort. Hospitals don’t necessarily have any contingency in place to handle a prolonged shutdown of the PTS system, which ultimately may translate to harm to patient care.
Today’s healthcare delivery organizations operate on more than traditional IT systems and connected medical devices. There also exists secondary technology and machines that serve as the infrastructure which facilitates the continuous delivery of patient care. In addition to the Translogic PTS system, hospitals also rely upon elevator control systems in the context of patient movement, temperature control sensors for vaccine storage, gas control systems for suction and oxygen delivery and more. As these critical infrastructure elements connect to the network, they also become targets for exploitation.
Current security measures, including traditional endpoint protection and network security solutions are simply not designed to protect this infrastructure or identify these types of attacks. The Armis platform has been purpose-built to identify vulnerabilities like PwnedPiper and will help in the following ways:
Identifying Swisslog PTS Components
Matching CVEs to Discovered Swisslog Devices
Armis strongly recommends the use of mitigation steps outlined by Swisslog in their security advisory which can be accessed here.
For more information on how Armis helps healthcare institutions with operational considerations to drive cyber resilience, click here.
As described above, the research yielded the discovery of nine critical vulnerabilities in the Nexus Control Panel that powers all current models of Translogic PTS stations. All current firmware versions of this device are susceptible to these vulnerabilities.
Swisslog has also acknowledged that older station models that are IP-connected (such as the IQ station) share code with the Nexus Control Panel, and are thus likely to be impacted by some of the vulnerabilities as well. However, these older stations are no longer supported by Swisslog, and will not get a patch released.
For the Nexus Control Panel, Swisslog is providing its customers a new version that mitigates the majority of the vulnerabilities – version 220.127.116.11. One remaining vulnerability (CVE-2021-37160) is currently unresolved by the latest version, and is expected to be patched in a future release.
This is a high-level description of the discovered vulnerabilities:
All of the vulnerabilities can be triggered by sending unauthenticated network packets, without any user-interaction.
For a detailed technical deep dive on the discovered vulnerability, read the technical research paper.
This research will be presented at the Black Hat conference by Ben Seri, Armis’ VP of Research, and Barak Hadad, a researcher on Ben’s team, later this week.
While patching the vulnerable Translogic PTS stations is essential, external mitigations can also be useful for detection and preventing attacks on these systems.
Here are mitigation steps that can be used to identify and potentially block the discovered vulnerabilities:
alert udp any any -> any 12345 (msg:"PROTOCOL-OTHER Pwned piper exploitation attempt, Too small and malformed Translogic packet"; dsize:<21; content:"TLPU"; depth:4; content:"|00 00 00 01|"; distance:4; within:4; reference:cve,2021-37161; reference:url,https://www.armis.com/pwnedPiper; sid:9800002; rev:1;)
alert udp any any -> any 12345 (msg:"PROTOCOL-OTHER Pwned piper exploitation attempt, Too large and malformed Translogic packet";dsize:>350; content:"TLPU"; depth:4; reference:cve,2021-37164; reference:url,https://www.armis.com/pwnedPiper; sid:9800001;)
Other than these specific steps, hardening the access to sensitive systems such as PTS solutions, through the use of network segmentation, and limiting access to such devices through strict Firewall rules, is always good practice, that should be in use.
This research sheds light on systems that are hidden in plain sight but are nevertheless a crucial building block to modern-day healthcare. Understanding that patient care depends not only on medical devices, but also on the operational infrastructure of a hospital is an important milestone to securing healthcare environments.