On March 3 of 2020, the Cybersecurity and Infrastructure Security Agency posted an alert on its website about vulnerabilities affecting a large number of devices that use Bluetooth Low Energy (BLE) wireless communication technology discovered by three members of the Singapore University of Technology and Design.  This report indicates that BLE system on a chip manufacturers using several affected software development kits (SDK). In order to understand the importance of these vulnerabilities, it is necessary to define some terms.
According to the ASSET Research Group, the Bluetooth Low Energy (BLE) is a wireless communication technology specially designed to prolong battery life of devices with different power consumption and usage capabilities. BLE consists of a set of many standardized protocols that provide remote connectivity and security between a simple device (peripheral) and the user’s device (central) which is usually a smartphone or a notebook.  In addition to that, is designed for short-range communication and, in a way, it is similar to Wi-Fi because it is meant to allow devices to communicate to each other.
The Techopedia website explains what a system on a chip is by saying the following:
A system on a chip (SoC) combines the required electronic circuits of various computer components onto a single, integrated chip (IC). SoC is a complete electronic substrate system that may contain analog, digital, mixed-signal or radio frequency functions. The website also explains that SoC uses less power, has better performance, requires less space and it is more reliable than multi-chip systems (used in mobile devices today).
BLE technology allows longer times of battery consumption and it is a great technology for applications that are constantly streaming data; hence, it is very useful in the application of medical devices which are constantly streaming data and it is important to have a prolonged battery life.
Now, going back to the report about the vulnerabilities of medical devices, the flaws in BLE SoC implementations are what makes a list of vulnerabilities called SweynTooth, a collection of bugs that attack vectors against BLE stacks that have passed multiple verifications and are believed to be safe from such flaws.
The impact of these vulnerabilities is divided into three categories, according to the Federal Drug Administration safety communication report on March of 2020.
- Crash the device. The device may stop communicating or stop working.
- Deadlock the device. The device may freeze and stop working correctly.
- Bypass security to access device functions normally available only to an authorized user.
According to the ASSET Research Group , the most critical devices are the medical devices that use the system on a chip (SoC) model DA14580  and these device fall into one category of vulnerability:
- Crash: Vulnerabilities in this category can remotely crash a device by triggering hard faults. This happens due to some incorrect code behavior or memory corruption, e.g., when a buffer overflow on BLE reception buffer occurs. When a device crash occurs, they usually restart. However, such a restart capability depends on whether a correct hard fault handling mechanism was implemented in the product that uses the vulnerable BLE SoC.
In this case, the two types of medical devices affected by these vulnerabilities are blood glucose monitors manufactured by VivaCheck Laboratories and pacemaker manufactured by Medtronic Inc.
The FDA mentions that the manufacturers of medical devices are assessing which devices are affected by SweynTooth, evaluating the risk, and developing remediation actions.
If you think you had a problem with your device or a device your patient uses, the FDA encourages users to report the problem through the MedWatch Voluntary Reporting Form provided in their website.
- ICS Alert (ICS-ALERT-20-063-01) SweynTooth Vulnerabilities. (2020, March 3). Retrieved from https://www.us-cert.gov/ics/alerts/ics-alert-20-063-01
- Garbelini, M. E., Chattopadhyay, S., & Wang, C. (n.d.). Unleashing Mayhem over Bluetooth Low Energy. ASSET Research Group: SweynTooth. Retrieved from https://asset-group.github.io/disclosures/sweyntooth/
- What is a System on a Chip (SoC)? - Definition from Techopedia. (2017, January 19). Retrieved from https://www.techopedia.com/definition/702/system-on-a-chip-soc
- Ilascu, I. (2020, February 13). SweynTooth Bug Collection Affects Hundreds of Bluetooth Products. Retrieved from https://www.bleepingcomputer.com/news/security/sweyntooth-bug-collection-affects-hundreds-of-bluetooth-products/
- Center for Devices and Radiological Health. (n.d.). SweynTooth Cybersecurity Vulnerabilities. Retrieved from https://www.fda.gov/medical-devices/safety-communications/sweyntooth-cybersecurity-vulnerabilities-may-affect-certain-medical-devices-fda-safety-communication