Basic flaws put pneumatic tube transport systems in hospitals at risk

Researchers have identified several high-risk vulnerabilities in a popular model of pneumatic tube systems (PTS) that are used by many hospitals to transport sensitive materials including lab specimens, blood products, tests and medications between different departments. The flaws could enable attackers to sabotage or hold the systems hostage, which can potentially have a negative impact on patient care.

The vulnerabilities affect the Translogic PTS system made by Swisslog Healthcare, which according to the manufacturer, is used in over 2,300 hospitals in North America and over 3,000 worldwide. Such systems have become an important part of the normal workflows in medical facilities, saving up to 200 hours per day in manual transport time.

Translogic PTS supports secure transfers through carrier tracking, user authentication and physical access control with passports and RFID cards. Workers interact with the system through a touch screen control panel on devices called Nexus Stations where workers can load and receive the carriers — the containers that travel through the tube system.

“The attacker can either re-route carriers, derailing the operations of the hospital, or halt the system altogether,” researchers from security firm Armis, who found the vulnerabilities, say in their report. “The most severe of the discovered vulnerabilities (CVE-2021-37160) can allow an attacker to maintain persistence on compromised Nexus stations via their unsecure firmware upgrade procedure, allowing him to hold the stations hostage until a ransom is paid.”

Hardcoded passwords, memory corruption and insecure updates

The Nexus Control Panel software is built on top of Linux for ARM with a very old kernel, Ben Seri, vice president of research at Armis, tells CSO. The passwords for root and another user are hardcoded and can be used to access the device over Telnet if an attacker is on the same network. Telnet is enabled by default and cannot be disabled through native device configurations. Another vulnerability consists of a script that runs as root and can be used by a lower privileged user to escalate their privileges and gain full rights on the device.

The researchers also found four memory corruption flaws in the UDP-based proprietary TLP20 protocol that’s used to manage and control the devices. Exploitation of these vulnerabilities does not require authentication and can lead to remote code execution or denial of service.

A separate denial-of-service vulnerability stems from the fact that the process controlling the graphical user interface (GUI) on the Nexus Control Panel operates as a local service that is binded to all network interfaces. This means that an attacker can remotely hijack this process’s connection through the network and mimic GUI commands.

Finally, the firmware upgrade mechanism does not use encryption or cryptographic signature verification, allowing an attacker to potentially perform a malicious firmware upgrade and remote code execution and gain low-level persistence on the device.

The firmware upgrade is done over the TLP20 protocol so an attacker would have to know how to do it, but this wouldn’t be difficult to understand, Seri tells CSO. The attacker could just monitor the network traffic from a man-in-the-middle position, observe how firmware upgrades are performed and then just replay the process, replacing the update with their own. Since this is Linux, the upgrade file is a standard ELF executable that would be executed as root, so no firmware reverse engineering is required.

This persistence through malicious firmware could enable ransomware-style attacks where the hackers use their access to disrupt the system and prevent its use, according to the Armis researchers. While recovering compromised stations from such an attack would be possible with manual firmware upgrades, this would take considerable time and effort.

Hospitals have become dependent on these systems and they’re meant to be operating all the time. If such an attack were to happen, hospitals would have to allocate manpower to move the critical items within the hospital manually, Seri says. Attackers could also sabotage the system in other ways by redirecting the carriers to the wrong destination to create chaos or increasing the transportation speed inside the system damaging sensitive materials that are supposed to be transported at lower speeds.

The systems also handle information about staff, integrate with access control methods such as RFID tags, and can even integrate with communications systems such as email or SMS to send notifications when carriers are sent or received.

Mitigation 

The vulnerabilities are limited to the HMI-3 circuit board inside of Nexus Panels when connected using an Ethernet connection and the potential for tube stations to be compromised is dependent on a bad actor having access to the facility’s information technology network, Swisslog Healthcare said in a statement.

The company has prepared a new software release with updated firmware that addresses seven of the eight vulnerabilities identified by Armis. The last one has mitigations that are documented in the company’s Network Communications and Deployment Guide.

Hospitals are used to relying on these systems 100% of the time, so updating them could take time because it might require a planned shut-down, Seri says. Until the patches can be applied, organizations should use network segmentation, access control lists and switches to limit who can access these systems over the network, Seri says. Armis will also publish IDS rules that can be incorporated in open source and other monitoring solutions to detect attempts to exploit these vulnerabilities.

The Translogic PTS system also has a central control server that runs on Windows and has internet access. This server also needs to be updated and needs to be protected because compromising it would provide attackers with network access to all the stations.

“Our feeling about this is that these systems are just extremely vulnerable,” Seri says. “This is the first time they’re being looked at and we just found some of the basic vulnerabilities. We don’t believe that it’s the end of what can be found on these devices, but very much the beginning.”