CyberWire Daily - Like a computer network but for physical objects. [Research Saturday]
Episode Date: September 4, 2021Guest Ben Seri, Armis' VP of Research, joins Dave to talk about a set of remote code execution (RCE) vulnerabilities in the pneumatic tube system of Swisslog. Nine vulnerabilities in critical infrastr...ucture used by 80% of major hospitals in North America. Swisslog’s Translogic Pneumatic Tube System (PTS), a solution that plays a crucial role in patient care, found vulnerable to devastating attack. Dubbed PwnedPiper, the vulnerabilities allow for complete take over of the Translogic Nexus Control Panel, which powers all current models of Translogic PTS stations. Older IP-connected Translogic stations are also impacted, but are no longer supported by Swisslog. The research can be found here: PwnedPiper Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
In many ways, it's very similar to computer network, just for physical objects.
That's Ben Seri. He's VP of Research at Armis.
Today, we're discussing their research on remote code execution vulnerabilities in Swisslog's pneumatic tube system.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024,
these traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation, and detecting threats using AI to analyze over
500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization
with Zscaler Zero Trust and AI. Learn more at zscaler.com security.
You have stations, which are the endpoints of the system,
where staff at the hospital can send and receive carriers.
And these stations are connected with the tubes, and there are routers, and they're called transfer units or diverters
in the terminology of pneumatic tubes.
And these literally shift carriers within the various intersections of tubes.
And then you have blowers.
These are what maintains the air pressure within the system,
and they can pull or push the air depending on the direction of the carrier.
So this is really, in many ways, a network that transports physical objects
similarly in ways to how packets are passing through an IP network.
I can't help but be reminded of years ago,
people were making jokes about comparing the internet to a series of tubes.
And here we have an actual series of tubes, right?
Right. Yeah, it is.
It is a series of pipes.
There is also, in computers, pipes are a way to...
Within the Linux system, for example,
pipes are a way to transfer data between processes.
And here, literal pipes are used to transfer physical objects.
Well, help us understand what's going on to control all of this.
I mean, obviously, there's routing.
You've got to get things from point A to point B.
For the folks who are using this system,
what's going on under the hood?
Yeah, so maybe unlike the IP network, in this case,
this has to be orchestrated very carefully by a central management server.
When you want to do a transaction of a carrier through the tubes,
you first have to align all of these diverters to the correct path of the tubes.
So you would create a link between source and destination station.
Then you would need to turn on the blower
and have the air pressure set to the correct speed.
There is a feature within these systems
that you can control how fast you send a carrier within the tubes.
And this is important in healthcare specifically
because certain items like blood products, they can be damaged if they are sent too fast within the tubes.
So you can control, you have the slow transfers, and then you can have urgent transfers for stuff that you need to deliver really quickly.
So when you set up the tubes with the revertors, when you turn on the blowers,
eventually the station's door opens, and then the staff can put in the carrier,
and then it will be whisked off within the tubes.
It's a system in which you have one transaction at a time per what is called a zone.
And a zone is part of the hospital where the tubes interconnect in a way that you can only transfer one carrier at a time.
But then you can have multiple zones,
and they will interconnect with inter-zone diverters.
So that's a way to make more transactions occur at a time.
But essentially, it's this complex network of analog components
that needs to be synchronized to allow transactions to take place.
To what degree is this automated? Are there humans keeping an eye on things, or does it pretty much run itself?
It pretty much runs on itself. I would imagine that back in the day, maybe when you were a child in the department store,
it would have much more analog and manual management
like elevators had back in the day, right?
So, and there would be an operator.
So I saw an image, for example,
that you see this type of system was installed in offices
where it was used as inter-office messaging.
And then in large offices where you had, I don't know,
hundreds of these stations or endpoints
where you can load carriers,
you would have a physical operator
and you'd put in the carrier,
it would be sent to the operator
and with the
destination written on it or something of that nature, then the operator would send
it to the next, to its destination.
So very much like how telecommunications, how phones worked earlier on.
But yeah, that's back in the day.
Today, everything is managed automatically.
It does everything, the central management server does all the coordination
automatically.
There are some maintenance to be done.
Some maintenance issues can occur.
Swisslog, specifically the company,
the vendor that we found vulnerabilities in its product,
does offer a service for hospitals in which he manages
and monitors their central management server remotely from the internet,
which is probably a good feature to have,
so you don't need someone physically monitoring it at each hospital.
But it also creates an attack surface, right?
Because the central management server now needs to be connected to the internet.
The internet is an obvious attack surface. And also that connectivity
to the monitoring solution by Swisslog,
if it's found vulnerable in the future, then that can be an
entry for attackers to take over the PTS network
from the internet. Well, and this leads us to the research
that you and your colleagues have published here,
where you all have discovered some vulnerabilities
in these systems.
How did this first come to your attention?
So from time to time, we do proactive research.
My team has all kinds of tasks within Armis,
but part of it is really looking at our customers' environments, understanding what
are the most common and most critical types of devices that they use, and doing research on it
and trying to find vulnerabilities. And so in our healthcare customers, I noticed the fact that
all of them use this pneumatic tube system, which I was not aware of before that existed. And for me, it was a blow from the past to see something like that actually in use.
And it was just very popular.
So the Swisslog system is used in over 80% of hospitals in North America.
It's installed in over 3,000 hospitals worldwide.
Every major hospital needs to have a pneumatic tube system.
And Swisslog is the leading vendor in North America
for these types of solutions.
So it was apparent to us that this was very popular on one hand,
but on the other hand, it's very not known.
It's little known to the general public
and probably haven't received any research efforts
because of that, because it's just hidden within the walls in hospitals and people don't think about it.
Right. Well, take us through what you discovered here. What exactly is the vulnerability?
So it's nine vulnerabilities, and they are critical in nature because they can allow takeover of the stations within this network. The current models of Swisslog, Translogic, PTS stations
are all based on a board called the Nexus Control Panel.
And this control panel runs Linux,
and it is the brains of all the current station models by Swisslog.
And so by having access to the hospital's network where these are
installed and these are IP connected, an attacker can take over them with
various different vulnerabilities that we found.
So there is a tenant server open on this device, unfortunately, that wasn't
supposed to be left open in production.
It has a hard-coded password that we were able to find.
These can be used to log into the device and take over it. There is also a previous escalation vulnerability
that can allow root access. So that's one bunch of vulnerabilities. Then there are a couple of
memory corruption vulnerabilities. And these are in the protocol that manages these stations,
the protocol that the central server has with all of these stations,
and they can also reach remote code execution.
There is also a denial of service vulnerability we found,
and lastly, a very serious design flaw
in which the firmware upgrade process of these devices
is completely not secure.
So the firmware is not signed, it's not encrypted,
and there isn't any authentication needed to trigger the firmware upgrade process.
So all of these different vulnerabilities can allow attackers
to compromise the Nexus control panel, which powers all current models
of the pneumatic tube stations.
And it only requires access to the network, which is something that the attacker would need to
have to trigger the attack.
But it does not require authentication.
It doesn't require any user interaction.
It's a remote attack in various ways.
What has the response been of Swisslog?
Have you reached out to them?
We have, yes.
So we've been in contact with them since the beginning of May.
It took some time for them to understand that this was a serious issue
and that they need to handle it.
This is the first disclosure that they are experiencing.
They are a very serious company and they have a very advanced tech,
but they come from an era which is an analog era in many ways.
And so the security was maybe not completely part of the design of these systems,
but they have gone through the path of understanding the vulnerabilities better,
developing a patch.
They have released a patch on Monday, so on August 2nd, when this disclosure became public,
and a security advisory in which they offer various mitigations.
And Armis has also published a security advisory detailing how this can be blocked by various
tools and how to mitigate the risk in the best way possible.
So this is very important looking forward.
What we found maybe is now receiving a patch that would fix the specific issues.
But we believe that the system is now being researched in a more right-of-way.
Other issues would be found in them.
And it's important to harden the access to them as much as possible.
And what are the potential issues here?
What are the dangers of a system like this being taken advantage of?
First, I think it's important to understand how critical it is
within the hospital. So what are its actual tasks?
It starts from the fact that testing within a hospital,
lab tests, there are this daily motion that the hospital
needs to do on a regular basis all the
time. So to automate this process, all of the departments, all of the nursing stations have
these stations and lab samples, various specimens that are taken from patients are sent through the
cubes to central laboratory where it is tested quickly, and then the patient's care is continued based on that test.
So that's one use case which is very, very common.
There are other uses of the PTS network within hospitals.
Pharmacies within hospitals usually connect to the PTS network
where they distribute medicine to all of the departments using this network.
The blood bank in the hospital might be connected to this network
so blood units can be sent to operation rooms from the blood bank.
And so there are various applications in which this is used.
And again, critical items such as blood units and various specimens
are shipped within the network.
So just understanding the fact that this is a critical infrastructure, and if it were to be shut down unexpectedly, this would result in some effect
on patient care in a way, just because hospitals are this chaotic scene by nature, and adding more
chaos to that scene is something that can harm patient care eventually. So this is why, again,
any attack on the system can have consequences just by the fact that this system is so delicate and so critical to the operations of a hospital.
But then there are also other elements of why an attack on this network could be meaningful for an attacker. So the PTS solution by Swisslog, it integrates with other hospital infrastructures, and that
can hold some insensitive data within these integrations.
So, for example, the access control system of the hospital that manages physical access
to doors by authenticating an RFID card that the nurses and the doctors have. This system is usually integrated with the Translogic PTS solution
to allow the staff to be authenticated with the PTS stations
so only the staff can use the Neurotic Tube system
and not by some patient or anybody else walking through the corridors.
And that type of integration exposes the RFID credentials of the staff,
staff records, stuff like that, to any attacker that takes over the system
because this sensitive data passes through the system.
So all kinds of attacks are possible in this system.
One would be an information leak.
Another would be shutting it down,
which would be a harmful form of hospital.
And maybe the third most
sophisticated type of attack
is not likely to occur by
a simple attacker. It would require
a more sophisticated attacker.
But it is possible to abuse
this system in a way that
derails hospital operations
until they understand that the network has been compromised.
So just doing a man-in-the-middle attack on the system
in which you change the path of the carriers,
an attacker sitting on the stations,
compromising the stations can intervene with the correct path
that the carrier should go through,
and that would create more chaos in the hospital.
He can change the speeds in which the carriers travel through the tubes.
And as I mentioned, some items are sensitive to that,
to the speed at which they travel, so that can damage their content.
And all of that might be used by a very sophisticated attacker
to assert a ransomware attack.
So just holding the network of the tubes hostage until a payout is made.
So it's not something that we usually connect to a ransomware attack.
We know that ransomware attacks are normally connected to PC endpoints
and their files being encrypted.
But essentially ransomware is just the use of something sensitive
being taken hostage.
And the network itself,
the Matic2 network
can also be taken hostage.
As I mentioned,
one of the vulnerabilities we found
is the fact that
the firmware upgrade process
of this device
is very much not secure.
So an attacker is able to,
can maintain persistence
on these devices.
So once he has done that, it will be very hard to get rid of him if he demands a certain
payout for that to stop his attack.
So is the message here, I mean, I suppose there are plenty of people in our audience
who have customers, colleagues, and so forth in the cybersecurity realm who are either working with
hospitals or hospital adjacent or suppliers of hospitals. I suppose a big part of this is just
spreading the word that this vulnerability exists and that there are mitigations in place that
people should take a serious look at. Yeah, I agree. And I think that we also have healthcare customers and
when we brought this news to them, it was also apparent that
they too were not completely aware to the fact that this system
is in use in their hospitals and that's so critical.
So it is just something that is hidden within the walls. It works.
You don't think about it.
You don't pay any attention to it.
And so security aspects of it are also not in front of you or not something that you're thinking about.
So it's a twofold process.
First, raising the awareness of the fact that these systems exist.
They're important.
They're critical.
And second, that they are vulnerable. And there are ways to mitigate risks around them and to better protect them.
I think just in a more broader term, it's important to understand when you think about
healthcare security, that it starts from the medical devices, right, the life support systems,
infusion pumps, the stuff that are directly connected and are providing their function to the patients.
These devices' security is very important, obviously.
But then you should look at the hospital in a more holistic way and understand that there are other systems involved in providing the patient care.
Maybe they are not categorized as medical devices.
Maybe there are these transport systems
with pneumatic tube systems
maybe they are the electricity of the hospital
water irrigation systems, the elevators
but there are all of these systems that interconnect
and are eventually what allows the hospital
to provide its patient care
and provide the best service that it can.
So the security, community, and for the healthcare space,
looking at their attack surface in a more broader way,
I think this is a good way of moving forward.
Our thanks to Ben Seri from Armis. The research covers remote code execution vulnerabilities in the pneumatic tube system of Swisslog.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. The CyberWire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Thanks for listening. We'll see you back here next week.