Swisslog Translogic PTS systems, pneumatic tube systems running mission-critical tasks in more than 2,000 North American hospitals, patched several vulnerabilities Monday. Ben Seri, vice president of research at Armis and one of the researchers who discovered the vulnerability, says the vulnerabilities may point to a potential systemic problem in hospital information security.
Seri will be presenting his findings on Wednesday at Black Hat.
While most of the business world stopped using pneumatic tubes to send memos after digital services evolved, hospitals remain dependent on modern versions of pneumatic tube systems (PTSs). They are a quick, relatively secure way to send biological samples around a building or buildings without requiring manual labor. Medicine gets sent from pharmacies to departments in the tubes, as well as blood from blood banks.
"Once hospitals began expanding using the system more and more, their ability to go back to manual transfer is almost nonexistent," he said.
Modern PTSs are more feature-rich than the office models of years past. They are digital and include features like not allowing unauthorized users to receive a parcel.
Switching to a manual delivery of materials isn't just slower and less convenient; it requires staffing hospitals are not currently prepared to produce. This could become an issue if, for example, ransomware prevents the doors from opening until payment. There is no backup plan in place, said Seri.
The vulnerabilities in the Translogic PTS are broad. Hackers can trigger four remote execution vulnerabilities, two default telnet passwords, as well as a denial of service bug with access to the network the Translogic PTS is attached to. Additionally, the firmware is not signed or encrypted.
Seri notes that installing the patch will require shutdown of the system to install, causing a temporary interruption of service.
Seri believes that this hints at a problem in the medical security space. While he believes hospital information security staff are increasingly likely to take the security of medical devices seriously, the non-medical infrastructure can sometimes get a pass. That could also include other systems, like the access control systems controlling the hospital doors.
"It's not enough to look at the medical systems. These systems are what powers the daily life of hospital."