A Hole in the Tube: Uncovering Vulnerabilities in Critical Infrastructure of Healthcare Facilities

Conference:  BlackHat USA 2021



The presentation discusses the vulnerabilities found in a hospital pneumatic tube system and the importance of securing embedded devices. The presenters suggest developing robust security mitigations to safeguard these types of systems.
  • The hospital pneumatic tube system was found to have vulnerabilities that could be exploited by attackers to gain remote code execution and persistence over the system.
  • The vulnerabilities were due to a lack of security mechanisms in the system's code base parsing the translogic protocol.
  • The presenters suggest using heat spraying and the global offset table to gain code execution via a primitive.
  • The importance of securing embedded devices is emphasized, and the need for security considerations during the evolution of hardware to software is highlighted.
  • Robust security mitigations should be developed to safeguard these types of systems.
  • Patching these systems is difficult, but mitigating the risk of these types of vulnerabilities from a network standpoint is possible.
The presenters suggest adding Doom to pneumatic tube systems in hospitals to make hospital visits more interesting. They even offer Swiss Log a week to use their code, which is ready to be deployed into production.


A hidden infrastructure that transports critical care items within all modern hospitals, lies in plain sight - the pneumatic tube system (PTS). This critical infrastructure is responsible for delivering medications, blood products, and various lab samples across multiple departments of the hospital. Using pneumatic tubes, blowers, diverters, stations and a central management server, this system is essentially the equivalent of a computer network, for physical packets (named "carriers"). Modern PTS systems are IP-connected, and offer advanced features, such as secure transfers (using RFID and/or password-protected carriers), slow transfers (for carriers containing sensitive cargo), and remote system monitoring -- that enables the on-prem PTS system to be monitored and controlled through the Cloud.Despite the prevalence of these systems, and the reliance of hospitals on their availability to deliver care, the security of these systems has not been thoroughly analyzed to date. This talk will uncover nine critical vulnerabilities we discovered in the firmware of the PTS station of one of the most popular vendors, used by thousands of hospitals in North America. These vulnerabilities can enable an unauthenticated attacker to take over PTS stations and essentially gain full control over the PTS network of a target hospital. This type of control could enable sophisticated and worrisome ransomware attacks that can range from denial-of-service of this critical infrastructure, to full-blown man-in-the-middle attacks that can alter the paths of this networks' packages, resulting in deliberate sabotage of the workings of the hospital. This talk will emphasize the importance of researching embedded systems that operate systems that may look gray and unimportant, but nevertheless power infrastructure in mission-critical environments such as healthcare facilities.