Security researchers discovered critical vulnerabilities in the pneumatic tube systems used by hospitals to move critical medical data and sensitive materials.
IoT security vendor Armis discovered nine security vulnerabilities in the Swisslog Healthcare Nexus Control Panel software, which is primarily used in North American hospitals. Armis, which named the bugs "PwnedPiper," is scheduled to present its findings during a session at Black Hat USA 2021 on Wednesday.
Armis published its findings on PwnedPiper, including a technical paper on the vulnerabilities, on Monday.
The bugs were reported to Swisslog on May 1, 2021, and patches were included in the latest firmware release for the company's TransLogic pneumatic tube systems. As these tube systems tend to be vital to operations, however, installing the patches is likely to take some time.
Nexus Control Panel is a Linux-based touchscreen system used by hospitals to manage the pneumatic tube systems used to send medical samples, lab tests, prescription medications and other critical materials between departments.
The Armis team found that that the software platform contained basic holes, such as unsigned firmware acceptance and default passwords, in addition to four memory corruption holes, one denial-of-service flaw and an elevation of privilege error.
In practice, this means a remote attacker who managed to get into the hospital's network, perhaps by an unprotected server, could effectively close down the pneumatic tube network and bring hospital operations to a standstill.
"This type of system has a near 100% time of use," said Ben Seri, vice president of research at Armis. "If these systems were to be shut down unexpectedly, I'm not sure the hospital would have the means to deal with it."
One of the glaring issues for hospital security, Armis said in the research paper, is the underlying nature of many modern connected medical devices. Born in the days of closed networks and serial connections, pneumatic tube networks were never designed for exposure to a local network -- let alone, internet connectivity.
Because of this, basic connection protocols and security best practices such as default passwords and firmware signing were never considered. Even worse, there is the risk of secondary attacks, as the vulnerable systems often integrate with RFID and other IT systems in hospitals that can allow for lateral movement on the network.
"All of those devices that have serial to Wi-Fi or serial to ethernet, now they make the protocol IT connected," explained Barak Hadad, an Armis researcher. "We see a new attack surface that was not there before we started."
As a result, bug hunters expect to find more hospital security flaws when they dig deeper into the ways modern medical networks operate and the security holes that are exposed as industries transition from serial ports and isolated networks to open connectivity and cloud platforms.
"When we think about the security of healthcare, the first thing that comes to mind is the life support systems," Seri said. "But when you look at the peripheral systems that support the operation, you realize it is a delicate system; you really need to have a holistic view."