IoT, Endpoint/Device Security, Black Hat, Endpoint/Device Security, Endpoint/Device Security

Major vendor for pneumatic tubes, critical to hospitals, patches vulnerabilities

Dr. Diana Fanti handles a box containing vials that was transferred by a pneumatic tube system on March 5, 2020, in Milan, Italy. Swisslog Translogic PTS systems patched several vulnerabilities with its pneumatic tube systems Monday. (Emanuele Cremaschi/Getty Images)

Swisslog Translogic PTS systems, pneumatic tube systems running mission-critical tasks in more than 2,000 North American hospitals, patched several vulnerabilities Monday. Ben Seri, vice president of research at Armis and one of the researchers who discovered the vulnerability, says the vulnerabilities may point to a potential systemic problem in hospital information security.

Seri will be presenting his findings on Wednesday at Black Hat.

While most of the business world stopped using pneumatic tubes to send memos after digital services evolved, hospitals remain dependent on modern versions of pneumatic tube systems (PTSs). They are a quick, relatively secure way to send biological samples around a building or buildings without requiring manual labor. Medicine gets sent from pharmacies to departments in the tubes, as well as blood from blood banks.

"Once hospitals began expanding using the system more and more, their ability to go back to manual transfer is almost nonexistent," he said.

Modern PTSs are more feature-rich than the office models of years past. They are digital and include features like not allowing unauthorized users to receive a parcel.

Switching to a manual delivery of materials isn't just slower and less convenient; it requires staffing hospitals are not currently prepared to produce. This could become an issue if, for example, ransomware prevents the doors from opening until payment. There is no backup plan in place, said Seri.

The vulnerabilities in the Translogic PTS are broad. Hackers can trigger four remote execution vulnerabilities, two default telnet passwords, as well as a denial of service bug with access to the network the Translogic PTS is attached to. Additionally, the firmware is not signed or encrypted.

Seri notes that installing the patch will require shutdown of the system to install, causing a temporary interruption of service.

Seri believes that this hints at a problem in the medical security space. While he believes hospital information security staff are increasingly likely to take the security of medical devices seriously, the non-medical infrastructure can sometimes get a pass. That could also include other systems, like the access control systems controlling the hospital doors.

"It's not enough to look at the medical systems. These systems are what powers the daily life of hospital."

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.