On 3 March 2020 FDA announced a set of cybersecurity vulnerabilities, referred to as “SweynTooth,” that – if exploited – may introduce risks for certain Bluetooth enabled medical devices. The vulnerability was originally identified and announced by researchers at Singapore University of Technology and Design.

SweynTooth affects the wireless communication technology known as Bluetooth Low Energy (BLE). BLE allows two devices to “pair” and exchange information to perform their intended functions while preserving battery life and the technology can be found in medical devices as well as other devices, such as consumer wearables. SweynTooth may allow an unauthorized user to wirelessly crash the device (crash), stop it from working (deadlock), or access device functions normally only available to the authorized user (bypass security).

The SweynTooth vulnerabilities were identified in the software development kits (SDKs) of seven major SoC vendors to connected device manufacturers, representing many hundred different products including glucose monitors, pacemakers, and others. Researchers described 12 vulnerabilities whereby an attacker can expose flaws in specific BLE SoC implementations that allow an attacker within radio range of the device to trigger crashes, deadlocks, or the complete bypass of security.

An attacker can crash a device by triggering hard faults, causing denial of service conditions, or affecting buffer overflow functions that may potentially make it possible to overwrite buffers and bypass encryption. Moreover, the attacker can force a device to crash or reboot; causing a frozen deadlock through a number of different means generally related to the synchronization of the user code and the SDK firmware. Critically, the attacker may also bypass security during the pairing mode, giving them arbitrary read or write access to the device’s functions. If there is any good news, it is that these vulnerabilities cannot be exploited remotely and all of these attacks require that the device Bluetooth is enabled and that the attacker is within close physical proximity (i.e., within Bluetooth range) of the device.

The seven SoC manufacturers that were identified as affected by these vulnerabilities are listed below, and many have already issued patches. These patches will go from the SoC manufacturer to the device manufacturer, who will need to perform a firmware update on affected devices, which may take some time. On the positive side, FDA points out that, in large part, patches made to address these vulnerabilities are unlikely to significantly affect device safety or effectiveness and, therefore, they should generally not require premarket review prior to implementation.

Identified SoC manufacturers include:

• Texas Instruments
• NXP
• Cypress
• Dialog Semiconductors
• Microchip
• STMicroelectronics
• Telink Semiconductor

It is important to note that others not on this list may well be identified as more becomes known about the impacts of the SweynTooth vulnerabilities.

The Department of Homeland Security - Cybersecurity Infrastructure Security Advisory

The Department of Homeland Security, Cybersecurity Infrastructure Security Advisory (CISA) on 3 March 2020 also issued an ICS-ALERT-20-063-01 SweynTooth Vulnerabilities, which provides additional technical detail related to the SweynTooth vulnerabilities. The alert explains that proof-of-concept exploit code, developed to demonstrate security flaws in software or networks, is publicly available and that CISA is coordinating with stakeholders to identify potential mitigations.

CISA and FDA recommendations

CISA recommends the following for manufacturers:

• Where feasible, evaluate the possibility and safety of disabling the use of the affected wireless communications protocol.
• Update, or create a plan to update, to the latest available patch level to mitigate vulnerabilities for affected devices.
• Provide users with information about affected products and recommendations on how to mitigate the vulnerabilities.

CISA also reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures and provides a section for control systems security recommended practices on the ICS webpage at www.us-cert.gov.

FDA notes that medical device manufacturers are already assessing which devices are affected by SweynTooth, evaluating the risk, and developing remediation actions. The agency has also recommended in its communications that Manufacturers:

• Evaluate if your device, or any device that communicates with your device, uses BLE technology and how it is impacted by these vulnerabilities.
• Conduct a risk assessment, as described in FDA’s cybersecurity postmarket guidance, to evaluate the impact of these vulnerabilities to affected devices and develop risk mitigation plans.
• Ensure mitigations include compensating controls while you are developing software patches.
• Work with health care providers, facilities, and patients to determine which medical devices are affected and to take actions to ensure that risks are reduced to acceptable levels.
• Where possible, monitor medical devices for any signs of unusual behavior. Communicate with your customers and the user community regarding your assessment and recommendations for risk mitigation strategies and any compensating controls, so that customers can make informed decisions about device use. Share your customer communications with an Information Sharing Analysis Organization (ISAO).
• Report medical devices you have identified as vulnerable to SweynTooth to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) at ICS-CERT@HQ.DHS.GOV, so that this information can be added to its evolving list of products.

Additional recommendations

Additionally, manufacturers should consider taking the following actions so that it is prepared to address questions that will likely be coming, if not already beginning to be received.

• Create an inventory of your devices and identify whether they use SoCs from the identified manufacturers and, therefore, could be at risk of one of the currently known, or unknown, vulnerabilities. Know that there may well be other affected chip manufacturers who have not yet been identified.
• Actively communicate with your SoC manufacturers to understand what updates are in development and when they are planned for release.
• Be prepared for contacts from healthcare delivery organizations (HDOs) as they have been recommended to reach out to the manufacturers of all of their Bluetooth enabled devices to determine whether those devices may be affected.
• Create talking points and consider providing the talking points and the list of potentially affected devices to customer service for use in responding to calls.
• Consider developing a FAQ that includes a list or your products that use BLE with SoCs from affected manufacturers and proactively making it available on your website.
• Where you have devices that use BLE technology, initiate an analysis to determine whether they are vulnerable to being exploited via the identified means. As the exploit code is available, consider downloading it and challenging your devices to determine whether you can induce the failure modes.
• Use the company’s risk management program to:
  • detect, analyze, and assess potential threat sources;
  • identify, characterize, and assess cybersecurity vulnerabilities by focusing on the risk of patient harm by considering: 1) the exploitability of the cybersecurity vulnerability in terms of the safety and essential performance of the device, and 2) the resulting severity of patient harm if the vulnerability were to be exploited; and
  • utilize risk acceptance criteria to conduct a risk evaluation and determine whether a cybersecurity vulnerability affecting a medical device presents an acceptable or unacceptable risk.
• For every potentially affected BLE enabled device, develop recommendations for customers, and in particular HDOs, to manage the vulnerability.
  • For instance, consider recommending that the HDOs turn off the device Bluetooth capability unless and until it is needed to use the device.
  • Work with your SoC manufacturers to develop recommendations for handling and mitigating the vulnerabilities. We understand that patches are available for many of the SoCs, but medical device manufacturers will need to do some work before they can deliver them to finished devices via a firmware update.
• Consider whether any of your actions or recommendations trigger reporting obligations to FDA.

We will continue to monitor cybersecurity vulnerabilities and regulatory oversight.

[View source.]