And that is all common for finding defects in hackable medical devices, from mammography machines i CT scanners to pacemakers i insulin pumps. But the potential exposure also extends through walls: Researchers have discovered nearly a dozen vulnerabilities in a popular brand of pneumatic tube delivery systems that many hospitals use to transport and distribute vital cargo such as lab samples and drugs.
Pneumatic tubes can look like scarce and outdated office equipment, more appropriate Hudsucker Proxy than the modern health care system. However, they are surprisingly common. Swisslog Healthcare, a prominent manufacturer of medicine-oriented pneumatic tubes, says more than 2,300 hospitals in North America use its TransLogic PTS platform, as do another 700 in other parts of the world. The nine vulnerabilities found by researchers at Armis embedded protection company in Swisslog’s Translogic Nexus control panels, however, could allow a hacker to download the system, download it offline, access data, redirect deliveries or otherwise sabotage the pneumatic network.
“You look at one of these pneumatic hose systems connected to the Internet and think, what can go wrong?” Says Ben Seri, vice president of research at Armis. “But once you look inside, you see that everything is very gently aligned and one thing that goes out of balance can make it vulnerable to abuse in seizures. This is serious because these systems perform critical functions in the hospital. Medicine and samples move faster with place to place, patients can get more tests, all of which lead to more reliable health care. ”
Attackers could target a system of pneumatic tubes as part of a ransomware attack, significantly slowing down laboratory testing and drug distribution. Or hackers could track delivery data for espionage. They could even disrupt delivery routing or damage samples at high speeds by manipulating motors, blowers, robotic arms, and other industrial components that typically work in carefully choreographed sequences to complete deliveries.
The vulnerabilities discovered by Armis researchers in the TransLogic PTS offer cannot be exploited directly from the open internet. But these are all relatively simple flaws to take advantage of, a crumb of hard-coded passwords, buffer overflows, memory corruption errors, and the like. An attacker on the same network as the network of pneumatic tubes and control panels would have multiple ways to manipulate the system. Taking advantage of certain shortcomings, they could even install their invalid firmware on the Translogic Nexus control panel. For attackers, this would be a way to establish deep, permanent control – hospitals would need to install another medical firmware update to eradicate intruders.
The researchers, who will present their findings at a Black Hat security conference in Las Vegas on Wednesday, informed Swisslog of the deficiencies on May 1. The health company cooperated in solving the problem and published a safety tip. Armis says there are nine vulnerabilities, while Swisslog counts eight because the company considers two different encrypted password problems as one vulnerability, while researchers from Armis say they are two different errors.
Swisslog has started distributing patches for all but one vulnerability. The error that remains uncorrected is the firmware verification problem; the company is currently working on designing validation checks, but says it is releasing other mitigation measures to customers in the meantime. There is no single update mechanism or platform through which Swisslog distributes patches. The company says different customers have different settings, “depending on the hospital’s technology environment and preferences.” Armisov Seri says that in practice, it can be a challenge for hospitals to obtain and apply updates.