WootCloud Blog

3,000+ Hospital’s Pneumatic Tube System (PTS) Infrastructure Overtaken By PwnedPiper

These critical systems, built by SwissLog’s TransLogic Pneumatic Tube System, are an automated material transport solution for carrying medical items across longer distances in medium to large hospitals.

The most severe of several issues is CVE-2021-37160: unencrypted, unauthenticated firmware upgrades on the Nexus Control Panel. An attacker could leverage it to install malicious firmware on the system, essentially taking full control over it.

For what it’s worth, Jennie McQuade, Chief Privacy Officer for Swisslog Healthcare, says that the security issues are not present unless a mix of variables exists stating, “The potential for pneumatic tube stations (where the firmware is deployed) to be compromised is dependent on a bad actor who has access to the facility’s information technology network and who could cause additional damage by leveraging these exploits”.

Lessons for security managers

Traditional thinking and processes that often accompany traditional tooling  would say it is difficult to see across systems where Access Control is managed by one system, and firmware updates on a separate system, managed by a separate vendor, are in a separate systems.

There is a flaw in the reasoning given by some of the articles and some of the Swisslog Healthcare staffers regarding this breach. The contention is that two things need to happen (A) The bad actors get access to the IT network (B) the bad actors push malware onto these devices.

This is where constant monitoring is needed as the first element, the bad actors get access to the IT network, becomes possible due to errors in configuration and errors in provisioning.  We also need automated provisioning for the second element, the bad actors push malware onto these devices, where any malware that does get into these devices is not allowed to propagate to other parts of the network. Alerting should also be triggered for both these scenarios.

Many vendors do not open APIs, or make them very technical, with risks to accuracy, while some deliberately disallow integrations with competing platforms or those systems or features they believe to be so. Applications with open APIs and both the ability and openness to integrate with other applications is more important than ever given today’s API-driven tech world.

Finally, root account access control still remained in the firmware after company issued patches are another lesson. While obvious on large applications, often this key security feature is overlooked on smaller applications. 

WootCloud Helps Detect Attacks In Moment of Intrusion, During Intrusion, and Attack

WootCloud helps protect against attacks by:

  • Providing a complete inventory of all assets including 5G – Identifies and classifies all assets (managed, unmanaged or IoT) in your environment then combines this under a single pane of glass for all your assets and devices
  • Identifying vulnerabilities, risks, and gaps – Reduces risks and security issues, identifies 5G devices, operating systems, CVE’s & severity, and assigns risk scores to all assets
  • Automating enforcement of security policies – Integrate both your 5G and IT and security management solutions to orchestrate actions such as notifying SOC systems, running a vulnerability scan, even blocking or quarantining devices
  • Simplifying deployment and increasing visibility – Delivers comprehensive visibility with an extremely quick and effortless deployment, with hundreds of available adapters without costly network appliances or scanners

Once attackers gain access, then they must perform a certain number of steps to achieve their goal, which is typically to access and steal, manipulate or destroy data. Rarely, will an attacker “land” on the device with the desired data, and/or be the sole resource to carry out their objective.

So attackers must perform many different actions, including probing the network, stealing or cracking credentials, accessing sensitive servers or applications, and locating and exfiltrating data.

These activities create an INHERENT OPPORTUNITY:

  • Attacks Create Anomalous Network + Device activity
  • A Behavioral Baseline Specific to the Network (and not Static) can help isolate unusual activity.
  • A Behavioral Anomaly indicative of attack can help security analysts quickly pinpoint and root out attackers.
  • To learn more in a zero touch, no obligation Demo or POC, please contact us.

    Share this post with your network.

    Share on linkedin
    Share on twitter
    Share on facebook
    Contributing Authors:

    Andreas Stenzel

    Share this post with your network.

    Share on linkedin
    Share on twitter
    Share on facebook

    This website uses cookies to ensure you get the best experience on our website.