Those who know me are probably at least vaguely aware that I am a consultant with the FDA for cybersecurity in medical devices and recently went to DC to participate in a forum regarding the release of vulnerability information to patients. Last night, I received an email from the FDA regarding the first of these releases since we set up the protocol. From a purely intellectual perspective, it was gratifying to see the process working. From a cybersecurity perspective, this is potentially very serious, and I found it fairly alarming. I forwarded the email to my husband, Chris, who actually designs low power Bluetooth chips, and asked him to please tell me this isn’t as bad as I think it is. He told me, “It is as bad as you think it is. Maybe worse.”
SweynTooth is a family of twelve vulnerabilities affecting Bluetooth Low Energy (BLE) chips, all of which are very serious. BLE allows connectivity between a simple device (like your headphones or wireless mouse) and the primary device. Not only are these chips used in your wireless headphones, they are also used in many implanted medical devices (yes, we are talking about pacemakers, insulin pumps, and neurostimulators, among others). The vulnerabilities allow an attacker withing radio range (approximately 300 feet) to trigger crashes, deadlocks, and security bypass. So far, the only good news in this is that these attacks cannot be carried out remotely (over the internet); the attacker would have to be within that 300-foot range.
- A Crash means the code in the device abruptly stops or starts executing incorrectly. The attacker can trigger a hard fault due to incorrect code behavior or memory corruption (buffer overflow). Devices should restart when a crash occurs, but only if fault handling was implemented correctly by the manufacturer (frequently overlooked or incorrectly implemented). Chris explained to me that when a device crashes, it can burn through its battery life.
- A Deadlock is a state where the device is unable to communicate due to a synchronization issue, so the code is “stuck”. This could occur after a crash or independently.
- The Security Bypass vulnerabilities are possibly the most critical. This vulnerability would potentially allow attackers to have read and write access to a device’s functions, meaning the attacker could take over and control the device.
The details of these vulnerabilities were released by researchers at the Singapore University of Technology and Design. They claim that they exercised responsible disclosure by notifying manufacturers of the vulnerabilities a few weeks before they disclosed publicly, allowing some manufacturers time to write patches for their firmware. However, when they publicly released the vulnerabilities, they also released Proof of Concept (PoC) code, demonstrating to attackers how to exploit the vulnerabilities.
The Common Vulnerabilities Scoring System (CVSS) calculates a risk score from 0 (no risk) to 10 (extremely high risk) for all vulnerabilities. The base score for SweynTooth (CVE-2019-19193) is 6.1, Impact Score is 6.9, and Exploitability Score is 6.5, so it’s relatively high, but I have seen worse. I recently saw a pacemaker vulnerability with a CVSS score of 9.3.
I told Chris I didn’t want to write this blog without offering some reassurance, and he told me that several medical devices only use the BLE chip for communication and their actual medical function is carried out by a separate microprocessor. I know, that’s not a lot, but it’s something. The other reassurance we have is that the chip manufacturers are aware and are working on patches, and some patches are already available. The DHS and the FDA are both on top of this and doing what is within their power to help.
If you have an implanted medical device, what can you do? Primarily, be aware. The FDA issued the following recommendations for Patients and Caregivers:
- Talk to your health care provider to determine if your medical device may be affected or whether you should take any actions. Device manufacturers will be sharing more information as it becomes available.
- Seek medical help right away if you think your medical device is not working as expected.
You may even have to make medical professionals aware these vulnerabilities exist. They are not necessarily able to keep up with cybersecurity vulnerabilities in addition to staying on top of their medical training (I do NOT fault doctors for this – they should have cybersecurity professionals monitoring this information for them, but that has not become a standard practice).
Unfortunately, some of the newer Medtronic pacemakers are among the affected devices. I have written before about my concerns over Medtronic pacemakers. One additional big concern that was raised for me when I was at the meeting in DC is that many times, attacks against medical devices are written off as the device simply malfunctioning, so I am afraid that attacks may go undetected.
So, if you have an implanted medical device, what is the likelihood that you could fall victim to an attack? It would take a perfect storm of circumstances, including the following:
- Your device would have to have a Bluetooth Low Energy (BLE) chip from one of the affected manufacturers. Keep in mind that not all chips have been tested, so if the chip does not appear in the list in my references, it does not mean that it isn’t affected.
- The manufacturer would have to have not coded fault tolerance correctly (not an unlikely scenario, unfortunately).
- The attacker would have to be within the 300 feet of you (the radio range for Bluetooth).
- In many instances, the attacker would need to reverse engineer the sequence of steps required to communicate with the device.
- The attacker would have to be capable of exploiting the vulnerability – and to be honest, there are not that many capable Bluetooth hackers. They would need to possess the type of expertise that Chris has, and those people get paid a lot and are not likely to waste their time engaging in the level of slimeballery this type of attack would require.
The above combination of circumstances is just not that likely to occur for the average person. If, however, I happened to be a high-profile political figure with a pacemaker, I would have a greater level of concern. In that case, it could be imagined that someone (possibly a nation-state level actor) would take an interest and invest the time and effort into targeting that person specifically.
I take this situation seriously and personally, since our oldest daughter has an implanted medical device. I am grateful her device should not be able to put her in a life-threatening situation, but I also have heightened concern, since her device manufacturer recently declared bankruptcy. If her device had been among the vulnerable ones, there would be no mitigation for it. This morning, I talked to both her surgeon’s office and the manufacturer’s rep (one of the few remaining employees) and verified her device does not use Bluetooth communication.
I do not want to be alarmist or upset anyone unduly. But I want you to be aware. If you have an implanted device, get in touch with your doctor. I have cited all my references below so you can research more details for yourself.
Initial Report: https://asset-group.github.io/disclosures/sweyntooth/
Department of Homeland Security Announcement: https://www.us-cert.gov/ics/alerts/ics-alert-20-063-01