Other IoT Devices at Risk Include ‘Smart Home’ and Wearable Gear
Federal regulators say a recently identified group of cybersecurity vulnerabilities dubbed “SweynTooth” could pose risks to certain internet of things devices, including wearable health gear and medical devices, as well as “smart home” products from vendors who utilize Bluetooth Low Energy, or BLE, wireless communication technology.
In alerts issued Tuesday by the Food and Drug Administration and the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency, regulators warn that the potential impacts of the vulnerabilities fall into three categories. An unauthorized user can wirelessly exploit these vulnerabilities to:
- Crash the device: The device may stop communicating or stop working.
- Deadlock the device: The device may freeze and stop working correctly.
- Bypass security to access device functions normally available only to an authorized user.
A FDA spokeswoman tells Information Security Media Group that the agency does not yet have an estimate on how many medical devices and other health-related products in use in the U.S. or worldwide could be impacted. That’s in part because device makers choose the suppliers of chips used in their products.
But some experts surmise the range of products affected is vast.
“As with any medical technology, threats that can affect proper operation, availability or in any way threatens patient safety is of concern,” says Bill Aerts, executive director of the Archimedes Center for Medical Device Security at the University of Michigan.
“Many mobile and IoT devices, including medical devices, use this technology, so the impact could be broad across industries and device types.”
Former healthcare CISO Mark Johnson, principal at security consulting firm LBMC Information Security, says the SweynTooth discoveries need to be put into perspective.
“While the potential impacts of exploitation are alarming, I feel the real risk for this specific set of vulnerabilities are less, given the requirement to be within ‘radio range,’ he says. “According to my research, radio range for these devices is 100 meters. That is not to say that entities should not patch these devices, given the manufacturer has already released patches. However, these would be lower criticality patches.”
The SweynTooth flaws were recently discovered by researchers of the Singapore University of Technology and Design, CISA notes.
“This [research] report was released without coordination with some of the affected vendors and without advance coordination with CISA. CISA has notified some of the affected vendors of the report and has asked the vendors to confirm the vulnerabilities and identify mitigations,” CISA says.
“These vulnerabilities are reported to affect at least seven different BLE system-on-a-chip manufacturers utilizing various affected software development kits. According to information released by the researchers, the BLE SoC manufacturers include Texas Instruments, NXP Semiconductors, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor.”
“The vulnerabilities expose flaws in specific Bluetooth low energy SoC implementations that allow an attacker in radio range to trigger deadlocks, crashes, buffer overflows, or the complete bypass of security,” CISA writes.
“It is reported that smart-home devices, wearables, environmental tracking or sensing devices, and several medical and logistics products could be affected. The affected medical devices may include pacemakers, blood glucose monitors and others using affected BLE SDKs.”
The FDA in its alert recommends manufacturers take a number of critical steps to address the potential problems.
“If your device or any device that communicates with your device uses BLE technology, evaluate how it is impacted by these vulnerabilities. Conduct a risk assessment, as described in FDA’s cybersecurity postmarket guidance, to evaluate the impact of these vulnerabilities to affected devices and develop risk mitigation plans,” the FDA says.
“Mitigations should include compensating controls while you are developing software patches.”
The FDA is also advising manufacturers to work with healthcare providers, facilities and patients to determine which medical devices are affected and to take action to ensure that risks are reduced to acceptable levels.
“Where possible, monitor medical devices for any signs of unusual behavior. Communicate with your customers and the user community regarding your assessment and recommendations for risk mitigation strategies and any compensating controls, so that customers can make informed decisions about device use,” FDA advises. “Share your customer communications with an Information Sharing Analysis Organization.”
Compensating controls and patches made to address the SweynTooth vulnerabilities are not likely to significantly affect the safety or effectiveness of the device and thus would not likely need FDA premarket review prior to implementation, the FDA notes. “If the changes to the device needed to address the vulnerabilities could significantly affect the safety or effectiveness of the device, however, premarket review [by FDA] is required.”
Johnson says it’s important for healthcare organizations to assess the situation and take appropriate action.
“Most healthcare organizations are continuing to struggle to have a good asset management – never mind this higher level of asset management,” he says. “Healthcare struggles managing normal computers and systems. They focus almost exclusively on big systems like EMS, PACS and, labs. These are undoubtedly important, but it’s only a fraction of systems that a better asset management program will manage. That should be a key priority in 2020 for healthcare CIOs.”
Johnson says risk management strategies need to change. “The old adage of ‘I can’t protect it if I don’t know it exists’ is becoming more like ‘I can’t protect it if I don’t know the components that make up the device or system.’ It’s a bit like understanding the software on a given computer, but it’s a lower level of abstraction.”
David Finn, executive vice president at security consultancy CynergisTek, says the number of products affected by the SweynTooth flaws could be substantial.
“The extent of the vulnerabilities may be staggering. The Bluetooth Low Energy Software Development Kits have been used in over 480 end-user products,” Finn says. “These range from fitness tracking bracelets and other wearables to smart plugs and smart door locks to glucose meters and medical devices.
“Given that the vulnerability is now well known, the potential impact could be vast. In 2018, alone, more than 178 million wearable devices were sold, that doesn’t include the years before or since,” he says.
Systems-on-a-chip offer some real advantages for small and mobile devices, Finn adds. “It integrates all components of a computer or an electronic system. and since it includes both the hardware and the software, it requires less power, has improved performance and takes up less space. Unfortunately, benefits always present trade-offs, and in this case much of what is sacrificed is security.”
Finn notes that there are about 800,000 staffed hospital beds in the U.S., and perhaps 10 to 15 medical devices per bed. “Even if only a fraction of these devices contained the vulnerability, you are talking about a potentially massive impact.”
But the potential problems could grow worse, Finn adds. “I believe we are only at the beginning of vulnerability disclosures around IoT devices, particularly those used in wellness and healthcare.”