Hospitals Still Use Pneumatic Tubes—and They Can Be Hacked

It’s all too common to find hackable flaws in medical devices, from mammography machines and CT scanners to pacemakers and insulin pumps. But it turns out that the potential exposure extends into the walls: Researchers have found almost a dozen vulnerabilities in a popular brand of pneumatic tube delivery system that many hospitals use to to carry and distribute vital cargo like lab samples and medicine. 

Pneumatic tubes may seem like wonky and antiquated office tech, more suited to The Hudsucker Proxy than a modern-day health care system. Yet they’re surprisingly common. Swisslog Healthcare, a prominent medical-focused pneumatic tube system maker, says that more than 2,300 hospitals in North America use its “TransLogic PTS” platform, as do 700 more elsewhere in the world. The nine vulnerabilities that researchers from the embedded device security company Armis found in Swisslog’s Translogic Nexus Control Panels, though, could let a hacker take over a system, take it offline, access data, reroute deliveries, or otherwise sabotage the pneumatic network.

“You look at one of these pneumatic tube systems that’s connected to the internet and think, what can go wrong?” says Ben Seri, vice president of research at Armis. “But once you look inside you see everything is very delicately aligned, and one thing going out of balance can make it vulnerable to abuse in attacks. This is serious, because these systems perform critical functions in the hospital. Medicine and specimens move from place to place more quickly, patients can get more tests, which all leads to more reliable health care.”

Attackers could target a pneumatic tube system as part of a ransomware attack, significantly slowing laboratory testing and the distribution of medicine. Or hackers could monitor delivery data for espionage. They could even disrupt delivery routing or damage samples at high speeds by manipulating the motors, blowers, robotic arms, and other industrial components that typically work in carefully choreographed sequences to complete deliveries. 

The vulnerabilities the Armis researchers found in TransLogic PTS offerings aren’t directly exploitable from the open internet. But they’re all relatively simple flaws to take advantage of, a smattering of hardcoded passwords, buffer overflows, memory corruption bugs, and the like. An attacker on the same network as the web of pneumatic tubes and control panels would have multiple paths to manipulate the system. And by exploiting certain flaws, they could even install their own unvalidated firmware on a Translogic Nexus Control Panel. For attackers, this would be an avenue to establishing deep, lasting control—hospitals would need to install another curative firmware update to eradicate the intruders. 

The researchers, who will present their findings at the Black Hat security conference in Las Vegas on Wednesday, notified Swisslog about the flaws on May 1. The health care company has been collaborating to fix the issues and has released a security advisory. Armis says there are nine vulnerabilities, while Swisslog counts eight, because the company considers two different hard-coded password issues as a single vulnerability, while the Armis researchers say they are two distinct flaws. 

Swisslog has started distributing patches for all but one of the vulnerabilities. The flaw that remains unpatched is the firmware verification issue; the company is working to design validation checks but says it is releasing other mitigations to customers in the meantime. There isn’t a single update mechanism or platform through which Swisslog distributes patches. The company says different customers have different setups, “dependent on the hospital’s technology environment and preferences.” Armis’ Seri says that, in practice, it may be challenging for hospitals to get and apply the updates.