PwnedPiper Set of Bugs In Connected Pneumatic Tube Systems Impacts Thousands of North American Hospitals

Bugs In Pneumatic Tube Systems Impact Thousands of North American Hospitals

A set of 9 issues collectively called as PwnedPiper and concern the safety of the pneumatic tube system (PTS) used in thousands of hospitals globally.

A hospital’s PTS solution is a critical component that helps provide fast, secure delivery of medical items such as blood and tissue samples around the hospital.

SwissLog, a provider of material transportation solutions, has issued a statement regarding its TransLogic Pneumatic Tube System, which is commonly used in hospitals in North America and Europe. The company claims that its patented technology is available in more than 3,000 locations worldwide.

Armis, a security company for connected devices, discovered that an unauthenticated attacker can easily take over a hospital’s entire SwissLog PTS network. The company discovered nine critical flaws in the firmware powering Nexus Control Panel all current models of TransLogic’s PTS products.

While not all of the issues could be exploited remotely, their severity level is still high, given that a hospital’s role is typically high, researchers said.

Swisslog has issued an advisory regarding security issues that affect the Nexus Panel’s HMI-3 circuit board. The issue has been acknowledged and is affecting products used in hospitals in North America.

Jennie McQuade, the Chief Privacy Officer at Swisslog Healthcare, says that the security issues are not dangerous unless a mix of factors exists.

“The potential for pneumatic tube stations (where the firmware is deployed) to be compromised is dependent on a bad actor who has access to the facility’s information technology network and who could cause additional damage by leveraging these exploits,” Swisslog said.

Armis found the following vulnerabilities in the code powering the TransLogic PTS:

  • CVE-2021-37163: two cases of always-active hardcoded passwords
  • CVE-2021-37167: privilege escalation
  • CVE-2021-37166: denial-of-service (DoS).
  • And four memory corruption bugs in the control protocol (TLP20) of TransLogic stations:
  • CVE-2021-37161 – Underflow in udpRXThread
  • CVE-2021-37162 – Overflow in sccProcessMsg
  • CVE-2021-37165 – Overflow in hmiProcessMsg
  • CVE-2021-37164 – Off-by-three stack overflow in tcpTxThread.

And the most severe one:

  • CVE-2021-37160: unencrypted, unauthenticated firmware upgrades on the Nexus Control Panel.

Armis reported the issues to Swisslog on May 1. The company worked with them to develop and test a patch that can be applied immediately.

The current firmware update addresses all but the severe vulnerability. It will be fixed in a future release. 

The full technical write-up is available here [PDF].


About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.