A collection of Bluetooth-related vulnerabilities, dubbed SweynTooth, could put a number of medical devices at risk. This blog provides information designed to help healthcare delivery organizations understand the risks posed by SweynTooth and determine how best to mitigate their exposure to keep their operations and patient care safe.
SweynTooth is a collection of 12 vulnerabilities that the U.S. Food and Drug Administration (FDA) warned could impact the safety of certain medical devices. The vulnerabilities exist in some Bluetooth Low Energy (BLE) implementations of major system-on-a-chip (SoC) vendors. These vulnerabilities require radio access to exploit.
Successful exploits could allow an attacker in radio range to trigger deadlocks, crashes and buffer overflows that take the device out of commission, or completely bypass security on the device to give the attacker access to functionality that is usually only available to the device owner or authorized user. The exploits appear to have no effect on other devices on the network and cannot lead to data leakage.
What SweynTooth could mean for healthcare
SweynTooth mainly affects smart-homes, wearables, and environmental tracking or sensing devices, but the FDA warns there are three common types of medical devices that could be affected: pacemakers, glucose monitors, and ultrasound devices.
Some of the affected SoC manufacturers identified by the FDA include:
- Texas Instruments
- Dialog Semiconductors
- Telink Semiconductor
It is important to note, however, that not all of the devices from these SoC manufacturers use the BLE implementation that puts them at risk. The FDA says it is up to device manufacturers to determine their exposure.
GE, Dräger, Carestream and Siemens have already declared they have not identified any products affected by these vulnerabilities, and Philips also posted a security advisory for this vulnerability, with no identified affected products so far. Syqe Medical Ltd. has clarified that they did buy a BLE license for their product Syqe Inhaler v01, but they are not using the BLE technology.
Other devices that have been identified as vulnerable include VivaChek Blood Glucose Meters and some Medtronic devices (pacemaker related products) – they were named in the paper that initially documented SweynTooth by researchers at the Singapore University of Technology and Design. In addition, general IoT devices from impacted SoC vendors present within a hospital’s network could create risks for service availability.
What healthcare delivery organizations can do about SweynTooth
There are several steps that HDOs can take to mitigate the risks from the SweynTooth vulnerabilities.
- Identify all potentially vulnerable devices in the network.
- Medigate customers can identify exactly which devices – manufacturer make, model, etc. – are where in their network.
- Patch devices as soon as possible.
- SoC manufacturers will be issuing patches when available that can be applied to address the vulnerability. For example, Dialogue Semiconductor provides a schedule of when they expect patches to be available: https://www.dialog-semiconductor.com/sweyntooth-bluetooth-low-energy-vulnerability
- IMPORTANT – available patches from the SoC manufacturer need to be approved by the vendor of the affected medical device BEFORE they can be applied. For example, it is not enough that Dialog has an available patch, the device manufacturers that use Dialog, like Medtronic, need to approve it for each relevant device to ensure there is no adverse impact to the functionality or service of that medical equipment.
- Restrict access to potentially impacted systems to only authorized individuals – applying the rule of least privilege to minimize risks.
- Medigate customers can apply micro-segmentation policies to isolate and restrict network access to vulnerable devices.
For more information or for questions on how to mitigate risks from SweynTooth, please contact us or hit the chat button with specific questions.