Vendor Swisslog Healthcare urges more than 3,000 hospitals worldwide to apply patch ASAP

UPDATED Attackers who exploit critical security vulnerabilities in Swisslog Healthcare’s TransLogic Pneumatic Tube System (PTS) could potentially reroute or shut down the automated delivery of medications and other vital items around hospitals.

Swisslog Healthcare has urged healthcare facilities to update their systems after releasing a firmware update today (August 2) that addresses all but one of nine flaws discovered by researchers from cybersecurity firm Armis.

TransLogic PTS is used in more than 80% of North American hospitals and more than 3,000 healthcare facilities worldwide, according to Swisslog.

The system transports medications, blood products, lab samples, and test results around facilities within cylindrical containers via a network of pneumatic tubes.

‘PwnedPiper’

The vulnerabilities were found in the Nexus Control Panel, which powers all Translogic PTS stations.

Dubbed ‘PwnedPiper’, the vulnerabilities “can enable an unauthenticated attacker to take over Translogic PTS stations and essentially gain complete control over the PTS network of a target hospital”, reads a blog post published by Armis.

From there, attackers could launch denial-of-service attacks, ransomware attacks, or manipulator-in-the-middle (MitM) attacks that redirect carriers containing vital medical items.

TransLogic PTS can also transport urgent items at comparatively high speeds and sensitive items, such as blood products, more slowly.

“If an attacker were to compromise the PTS system, he may alter the system’s speed restrictions, which can in turn damage such sensitive items,” warns Armis.

Prolonged shutdown

The most severe vulnerability (CVE-2021-37160), which Armis said remains unpatched, could see an attacker achieve remote code execution (RCE) and maintain persistence on the target device after initiating a firmware update procedure.

This is possible because a design flaw means firmware upgrades lack encryption, authentication, and cryptographic signature mechanisms.

Remediating such an attack with manual firmware upgrades “will take considerable time and effort”, notes Armis, and many hospitals lack contingency plans for handling a prolonged shutdown of PTS systems.


RECOMMENDED Dropbox researchers develop tool to detect lateral movement attacks against enterprise networks


The threat is exacerbated further by the system’s integration with other hospital systems such as Swisslog’s WhoTube access control system.

In exploiting four memory corruption vulnerabilities in the TLP20 control protocol (CVE-2021-37161, CVE-2021-37162, CVE-2021-37165, CVE-2021-37164), an attacker could potentially achieve RCE, and thereafter harvest employees’ RFID credentials.

They could also perform reconnaissance on the PTS network, seize control of all Nexus stations, and “hold them hostage in a sophisticated ransomware attack,” said Armis.

The vulnerabilities also include two privilege escalation flaws arising from hardcoded passwords (CVE-2021-37163 and CVE-2021-37167), and a denial-of-service vulnerability (CVE-2021-37166).

Patch now

Armis alerted Swisslog Healthcare to the vulnerabilities on May 1, 2021.

With the researchers’ help, Swisslog has released firmware version 7.2.5.7 and mitigations in security advisories addressing each flaw.

All previous firmware versions are susceptible to the flaws.

Armis says it expects CVE-2021-37160 to be patched in a future release.

Jennie McQuade, chief privacy officer for Swisslog Healthcare, told The Daily Swig: “Armis has offered a tremendous depth of research which has, in turn, helped us to deliver an enhanced solution for our customers. Our latest software release eliminates the identified vulnerabilities except for one, for which mitigation strategies are recommended.

“We will continue to hold security as a top-tier priority in order to collaborate with our customers on operational technology within the hospital.”


Catch up on the latest healthcare breaches and security news


Armis says PTS systems have hitherto been overlooked by security researchers despite the critical role they play in healthcare settings.

“Understanding that patient care depends not only on medical devices, but also on the operational infrastructure of a hospital is an important milestone to securing healthcare environments,” said Nadir Izrael, co-founder and CTO at Armis.

Armis security researchers Ben Seri and Barak Hadad will present the PwnedPiper research at Black Hat USA later this week.

Armis, whose flagship product is an agentless device security platform, has also published a technical white paper (PDF) on the research.


This article was updated on August 3 with comments from Swisslog Healthcare.


RELATED UC San Diego Health discloses data breach after employee email accounts hijacked