A Hole in the Tube: Uncovering Vulnerabilities in Critical Infrastructure of Healthcare Facilities

Presented at Black Hat USA 2021, Aug. 5, 2021, 10:20 a.m. (40 minutes)

A hidden infrastructure that transports critical care items within all modern hospitals, lies in plain sight - the pneumatic tube system (PTS). This critical infrastructure is responsible for delivering medications, blood products, and various lab samples across multiple departments of the hospital. Using pneumatic tubes, blowers, diverters, stations and a central management server, this system is essentially the equivalent of a computer network, for physical packets (named "carriers"). Modern PTS systems are IP-connected, and offer advanced features, such as secure transfers (using RFID and/or password-protected carriers), slow transfers (for carriers containing sensitive cargo), and remote system monitoring -- that enables the on-prem PTS system to be monitored and controlled through the Cloud.

Despite the prevalence of these systems, and the reliance of hospitals on their availability to deliver care, the security of these systems has not been thoroughly analyzed to date. This talk will uncover nine critical vulnerabilities we discovered in the firmware of the PTS station of one of the most popular vendors, used by thousands of hospitals in North America. These vulnerabilities can enable an unauthenticated attacker to take over PTS stations and essentially gain full control over the PTS network of a target hospital. This type of control could enable sophisticated and worrisome ransomware attacks that can range from denial-of-service of this critical infrastructure, to full-blown man-in-the-middle attacks that can alter the paths of this networks' packages, resulting in deliberate sabotage of the workings of the hospital.

This talk will emphasize the importance of researching embedded systems that operate systems that may look gray and unimportant, but nevertheless power infrastructure in mission-critical environments such as healthcare facilities.


Presenters:

  • Barak Hadad - Researcher, Armis
    Barak Hadad is a security researcher at Armis Labs, responsible for hunting zero days and reverse engineering. Formerly an R&D team lead in the Israeli Defense Forces Intelligence, his current focus is unraveling the mysteries of various embedded devices. While breaking a factory production line is Barak's idea of fun at work, in his free time Barak enjoys gaining as many hobbies as possible, including windsurfing, volleyball, skiing, water-ski, volley-ski, ball-water-ski, and of course his favorite, wind-ball-surf-volley-ski.
  • Ben Seri - VP Research, Armis
    Ben Seri is the VP of Research at Armis, responsible for vulnerability research and reverse engineering. His main interest is exploring the uncharted territories of unmanaged devices to find common insecurities they share. Prior to Armis, Ben spent almost a decade in the Israeli Defense Forces Intelligence as a researcher and security engineer. In his free time, Ben enjoys composing and playing as many instruments as the various devices he's researching.

Links:

Similar Presentations: