Critical PwnedPiper Flaws Affect Pneumatic Tube Systems in 3,000 Hospitals

Pneumatic tube systems are used by many businesses for transporting small items around facilities, including healthcare. In hospitals these systems are extensively used for delivering drugs from the pharmacy, sending test samples to the lab for analysis, and transporting other items around the hospital. These transportation systems are connected to hospital networks, so the firmware could potentially have vulnerabilities that could be exploited in cyberattacks, but until now these systems have not been thoroughly researched and analyzed.

Researchers at Armis Security changed that with an analysis of the Nexus Control Panel of Swisslog Healthcare Translogic Pneumatic Tube System (PTS) stations, which are used in more than 80% of major hospitals in the United States. The researchers identified 9 critical vulnerabilities that could be exploited in a range of cyberattacks. Those vulnerabilities were present in the latest version of the firmware and around 3,000 hospitals worldwide, including 2,300 in the United States, are affected.

The types of vulnerabilities identified by the researchers are common in IoT devices, but for them to be present in a system that is part of a hospital’s critical infrastructure is disturbing. If the pneumatic tube system is compromised and attackers gained full control of PTS stations, the transportation of drugs and test samples would be severely disrupted. Blood samples and drugs would have to be delivered manually, which would naturally have a negative impact on patient care and could potentially pose a major risk to patient safety.

The 9 critical vulnerabilities identified by the researchers – collectively named ‘PwnedPiper’ – included memory corruption vulnerabilities, hard-coded passwords, privilege escalation vulnerabilities, and a lack of validation for firmware updates. The flaws could be exploited in a denial of service or ransomware attack, sensitive data such as employee RFID credentials could be obtained, and attackers could easily conduct reconnaissance and identify the layout of the PTS network, including the functions and locations of the stations.

Further, the flaws would not be too difficult to exploit. An attacker could potentially target a low-grade networked IoT device such as an IP camera, vulnerabilities in which are often discovered. Once a vulnerability has been exploited to gain access to the network, the PTS system could be targeted. The attacker could perform reconnaissance, and exploit the flaws to gain full control of every PTS station in the hospital and simply shut those stations down.

“In this volatile state, the hospital’s operations can be severely derailed,” said the researchers. “Medications supplied to departments, timely delivery of lab samples, and even blood units supplied to operating rooms all depending on constant availability of the PTS.”

The researchers reported the flaws to Swisslog Healthcare and presented the findings of their research at Black Hat USA. Swisslog Healthcare has patched 8 of the 9 vulnerabilities in version of the Nexus Control Panel, and users are being encouraged to upgrade the firmware as soon as possible.  A patch for the final vulnerability, which affects legacy systems, will be developed and applied in a later firmware release.

There have been no reported cases of exploitation of the flaws to date but if it is not possible to update the affected PTS stations promptly, the suggested workarounds and mitigations should be implemented to reduce risk. These are detailed in Swisslog Healthcare’s recent security advisory.

“This research sheds light on systems that are hidden in plain sight but are nevertheless a crucial building block to modern-day healthcare,” said Nadir Izrael, Armis co-founder and CTO. “Understanding that patient care depends not only on medical devices, but also on the operational infrastructure of a hospital is an important milestone to securing healthcare environments.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of