In a session at the Black Hat US 2021 hybrid event, researchers from security firm Armis outlined a series of vulnerabilities dubbed PwndPiper that impact pneumatic tube delivery systems used by hospitals around the world.
Pneumatic Tubes (PT) is a technology invented over 200 years ago, according to Ben Seri, VP of research at Armis, and use air pressure to transfer different things. While the technology is old, it has been brought forward to the modern era and is commonly used in hospital settings to deliver specimens and even medicines to different locations within a hospital campus.
Among the vendors that develop pneumatic tube systems for hospitals is Swisslog, which has advanced the technology to connect to the internet and modern networks, and that's where the trouble starts. Seri said that his company's research team was able to discover no less than nine different vulnerabilities in Swisslog's TransLogic Pneumatic Tube System. He noted that the TransLogic system is installed in over 2,300 hospitals in North America and over 3,000 worldwide.
Among the different types of vulnerabilities that Armis discovered were hardcoded passwords, privilege escalation flaws, stack overflows, and a non-secure firmware upgrade mechanism. Adding further insult to injury, Seri noted that all the vulnerabilities could have been triggered via unauthenticated network packets, without any user interaction. While the pneumatic tube network itself is an analog technology, Seri noted that the Swisslog system brings in digital management over internet protocol with a central server. That central server is a Windows device that is often connected to the public internet.
The potential risk of the flaws that the Armis team discovered could be quite dire. An attacker might have been able to take over a pneumatic tube system station and then launch a denial of service attack that would cripple the operations of the hospital. A successful attack could also potentially lead to the leak of personally identifiable information. Seri noted that there even could be the risk of the vulnerabilities’ leading to a ransomware attack.
Will it Run Doom?
As part of the session, Seri and his colleague Barak Hadad, researcher at Armis, showed a demonstration of how the vulnerabilities could be exploited.
"Will it run Doom?" Seri asked. "The short answer is it will."
Doom is a first-person shooter game, and it's not something that should have been able to be installed on the Swisslog system, and yet the Armis researchers were able to do so.
"It's very important to develop robust security mitigations, to safeguard these types of systems," Seri said.
Seri noted that Armis reported all the vulnerabilities to Swisslog and patches are now available that hospitals should implement.