PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

How an Insecure Series of Tubes Puts US Hospitals at Risk

Pneumatic tube systems may seem antiquated, but they're still in use at thousands of hospitals around the world, and they're vulnerable to attack, two researchers reveal at Black Hat.

Kim Key
 & Kim Key Senior Writer, Security

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

The pneumatic tube systems (PTS) used by hospitals to deliver vital medications, blood samples, and lab products to multiple departments have a security problem.

At Black Hat, Ben Seri and Barak Hadad from security firm Armis revealed critical vulnerabilities in a system used by thousands of hospitals in North America, and detailed why it's important to keep a close eye on operating systems that may look unimportant but power critical infrastructure like healthcare facilities.

What Are Pneumatic Tubes?

Pressurized tube networks have been used for decades. Before we all started using the internet, PTS were used by workers in various industries to transport mail and other documents.

Hospitals still use pneumatic tubes on a regular basis to send medicine, samples, and files from one part of the hospital to another. It all sounds very low-tech, but it’s a pretty advanced system with remote system monitoring using internet connectivity.

“It’s critical infrastructure, but it isn’t being researched,” Seri said.

Can It Play Doom?

Swisslog TransLogic Devices provides the TransLogic Pneumatic Tube System that's used by more than 2,300 hospitals in North America and 3,000 hospitals worldwide. It's managed over Ethernet by a central server. But that central server is a Windows device connected to the internet, which is where attackers are most likely to strike. 

Recommended by Our Editors

Google Will Soon Spot Fake Calls on Supported Android Phones
Google Will Soon Spot Fake Calls on Supported Android Phones
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts
The Swisslog terminal with DOOM

During their Black Hat presentation today, Seri and Hadad showed how they hacked into the TransLogic system with just a few keystrokes and even installed the game Doom on the medical console. Ultimately, the pair found nine vulnerabilities in the TransLogic system and informed Swisslog about them in May 2021. Going forward, they're working with Swisslog to patch and test for new vulnerabilities.

It turns out there are plenty of exploits for a determined malicious hacker to use against a hospital system. Seri and Hadad, for example, uncovered hardcoded passwords, privilege escalation, and non-secure firmware, all of which could be exploited without any user interaction via unauthenticated network packets.

What's the Worst That Could Happen?

There are a lot of things that can go wrong if bad actors target vulnerable hospital systems. Attackers could carry out denial-of-service attacks on the PTS network, and they could access and leak staff and patient information. In extreme cases, bad actors could use ransomware to paralyze the hospital system.

Seri concluded the presentation by reiterating his point that more research needs to be done on these hybrid systems that mix old tech like pneumatic tubes with new upgrades like internet access. PTS are critical infrastructure, as are elevators and the electric grid, and should be researched and secured before malicious attackers strike.

Keep reading PCMag for more Black Hat coverage.Black Hat coverage.

About Our Expert

Kim Key

Kim Key

Senior Writer, Security

My Experience

I review privacy tools like hardware security keys, password managers, private messaging apps, and ad-blocking software. I also report on online scams and offer advice to families and individuals about staying safe on the internet. Before joining PCMag, I wrote about tech and video games for CNN, Fanbyte, Mashable, The New York Times, and TechRadar. I also worked at CNN International, where I did field producing and reporting on sports that are popular with worldwide audiences.

In addition to the categories below, I exclusively cover ad blockers, authenticator apps, hardware security keys, and private messaging apps.

The Technology I Use

I like testing new software for work, but I'm less "plugged in" to the internet than I used to be. I tend to read app privacy policies to see what kind of data companies collect, and as a result of those findings, I don't use many mobile apps. In a similar vein, I was an early adopter of many social media platforms, but now I’m just an infrequent Reddit lurker.

I'm a gear junkie. I split my work time between a 2021 Apple MacBook Pro and a Lenovo ThinkPad. I shoot most of my videos for PCMag using a Canon M50, a Sony A7iii, and a Sony a6000. I edit videos using Final Cut Pro and Adobe Premiere Pro.

I write all of my words for PCMag either in the MS Notepad app on my ThinkPad or the Notes app on my iPhone 12 mini. If I'm traveling and working, I use my iPad to write short articles or take notes.

My dad built me my first computer sometime in the late '90s, and I used it for reading Encyclopedia Britannica and writing Sailor Moon fan fiction. My first phone was the ubiquitous Nokia candy bar.

Read the latest from Kim Key

Read full bio