It's all too common to find hackable flaws in medical devices, from mammography machines and CT scanners to pacemakers and insulin pumps. But it turns out that the potential exposure extends into the walls: Researchers have found almost a dozen vulnerabilities in a popular brand of pneumatic tube delivery system that many hospitals use to to carry and distribute vital cargo like lab samples and medicine.
Pneumatic tubes may seem like wonky and antiquated office tech, more suited to The Hudsucker Proxy than a modern-day health care system. Yet they're surprisingly common. Swisslog Healthcare, a prominent medical-focused pneumatic tube system maker, says that more than 2,300 hospitals in North America use its “TransLogic PTS” platform, as do 700 more elsewhere in the world. The nine vulnerabilities that researchers from the embedded device security company Armis found in Swisslog's Translogic Nexus Control Panels, though, could let a hacker take over a system, take it offline, access data, reroute deliveries, or otherwise sabotage the pneumatic network.
“You look at one of these pneumatic tube systems that's connected to the internet and think, what can go wrong?" says Ben Seri, vice president of research at Armis. “But once you look inside you see everything is very delicately aligned, and one thing going out of balance can make it vulnerable to abuse in attacks. This is serious, because these systems perform critical functions in the hospital. Medicine and specimens move from place to place more quickly, patients can get more tests, which all leads to more reliable health care.”
Attackers could target a pneumatic tube system as part of a ransomware attack, significantly slowing laboratory testing and the distribution of medicine. Or hackers could monitor delivery data for espionage. They could even disrupt delivery routing or damage samples at high speeds by manipulating the motors, blowers, robotic arms, and other industrial components that typically work in carefully choreographed sequences to complete deliveries.
The vulnerabilities the Armis researchers found in TransLogic PTS offerings aren't directly exploitable from the open internet. But they're all relatively simple flaws to take advantage of, a smattering of hardcoded passwords, buffer overflows, memory corruption bugs, and the like. An attacker on the same network as the web of pneumatic tubes and control panels would have multiple paths to manipulate the system. And by exploiting certain flaws, they could even install their own unvalidated firmware on a Translogic Nexus Control Panel. For attackers, this would be an avenue to establishing deep, lasting control—hospitals would need to install another curative firmware update to eradicate the intruders.
The researchers, who will present their findings at the Black Hat security conference in Las Vegas on Wednesday, notified Swisslog about the flaws on May 1. The health care company has been collaborating to fix the issues and has released a security advisory. Armis says there are nine vulnerabilities, while Swisslog counts eight, because the company considers two different hard-coded password issues as a single vulnerability, while the Armis researchers say they are two distinct flaws.
Swisslog has started distributing patches for all but one of the vulnerabilities. The flaw that remains unpatched is the firmware verification issue; the company is working to design validation checks but says it is releasing other mitigations to customers in the meantime. There isn't a single update mechanism or platform through which Swisslog distributes patches. The company says different customers have different setups, “dependent on the hospital’s technology environment and preferences.” Armis' Seri says that, in practice, it may be challenging for hospitals to get and apply the updates.
“Even though our analysis concluded that this discovery posed little risk to our company or our customers, we immediately started collaborating on both short-term mitigation and long-term fixes,” Swisslog told WIRED in a statement. “Swisslog Healthcare has already begun rolling out these solutions and will continue to work with its customers and affected facilities until all fixes and concerns are resolved.”
Armis' Seri suggests that many health care providers overlook the importance of pneumatic tube system security, given that they're physical infrastructure, installed when buildings are first constructed or during extensive renovations. In many hospitals, operations managers may maintain the systems rather than IT administrators. But as always-on, internet-connected systems, they need both hardware maintenance and digital defense through firewalls and other network segmentation. Swisslog says hospitals buy its systems as a 30-year or more investment. That timescale is an eternity in digital security, and reflects a larger issue in critical infrastructure: Embedded devices can sit untouched, without security updates, for decades if they're functioning.
“I’m not saying an attack on these systems will occur tomorrow, but it's important to be aware of the potential,” Seri says. “Whether it's nation state attackers or ransomware actors, they can see these systems as something they can target to cause significant harm and disruption."