A hidden infrastructure that transports critical care items within all modern hospitals, lies in plain sight - the pneumatic tube system (PTS). This critical infrastructure is responsible for delivering medications, blood products, and various lab samples across multiple departments of the hospital. Using pneumatic tubes, blowers, diverters, stations and a central management server, this system is essentially the equivalent of a computer network, for physical packets (named "carriers"). Modern PTS systems are IP-connected, and offer advanced features, such as secure transfers (using RFID and/or password-protected carriers), slow transfers (for carriers containing sensitive cargo), and remote system monitoring -- that enables the on-prem PTS system to be monitored and controlled through the Cloud.Despite the prevalence of these systems, and the reliance of hospitals on their availability to deliver care, the security of these systems has not been thoroughly analyzed to date. This talk will uncover nine critical vulnerabilities we discovered in the firmware of the PTS station of one of the most popular vendors, used by thousands of hospitals in North America. These vulnerabilities can enable an unauthenticated attacker to take over PTS stations and essentially gain full control over the PTS network of a target hospital. This type of control could enable sophisticated and worrisome ransomware attacks that can range from denial-of-service of this critical infrastructure, to full-blown man-in-the-middle attacks that can alter the paths of this networks' packages, resulting in deliberate sabotage of the workings of the hospital. This talk will emphasize the importance of researching embedded systems that operate systems that may look gray and unimportant, but nevertheless power infrastructure in mission-critical environments such as healthcare facilities.