Skip to main content

This dangerous security bug affects nearly all hospitals in North America

(Image credit: Pexels)
Audio player loading…

Researchers from the IoT (opens in new tab) security firm Armis (opens in new tab) have discovered nine critical vulnerabilities in the Nexus Control Panel which is used to power all current models of Translogic's pneumatic tube system (PTS) stations by Swisslog Healthcare.

The vulnerabilities have been given the name PwnedPiper (opens in new tab) and are particularly concerning due to the fact that the Translogic PTS system is used in 3,000 hospitals worldwide including in more than 80 percent of major hospitals in North America. The system is used to deliver medications, blood products and various lab samples across multiple departments at the hospitals where it is used.

The PwnedPiper vulnerabilities can be exploited by an unauthenticated hacker to take over PTS stations and gain full control over a target hospital's tube network. With this control, cybercriminals could launch ransomware (opens in new tab) attacks that range from denial-of-service (opens in new tab) to full-blown man-in-the-middle attacks (MITM (opens in new tab)) that can alter the paths of a networks' carriers to deliberately sabotage hospitals.

Despite the prevalence of modern PTS systems that are IP-connected and found in many hospitals, the security of these systems has never been thoroughly analyzed or researched until now.


Of the nine PwnedPiper vulnerabilities discovered by Armis, five of them can be used to achieve remote code execution (opens in new tab), gain access to a hospital's network and take over Nexus stations.

By compromising a Nexus station, an attacker can use it for reconnaissance to harvest data from the station including RFID credentials of employees that use the PTS system, details about the functions or locations of each system and gain an understanding of the physical layout of a hospital's PTS network. From here, an attacker can take over all Nexus stations in a hospital's tube network and then hold them hostage in a ransomware attack.

VP of Research at Armis, Ben Seri provided further insight in a press release on how the company worked with Swisslog to patch the PwnedPiper vulnerabilities it discovered, saying:

“Armis disclosed the vulnerabilities to Swisslog on May 1, 2021, and has been working with the manufacturer to test the available patch and ensure proper security measures will be provided to customers. With so many hospitals reliant on this technology we’ve worked diligently to address these vulnerabilities to increase cyber resiliency in these healthcare environments, where lives are on the line.”

Armis will present its research on PwnedPiper at this year's Black Hat USA (opens in new tab) security conference and as of now, only one of the nine vulnerabilities remains unpatched.

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.