FDA identifies security flaw in Low Energy Bluetooth tech in medical devices

The US Food and Drug Administration has identified security flaws, dubbed SweynTooth, affecting low energy Bluetooth technology in certain medical devices.

The FDA has warned patients, health care providers and manufacturers about a new cyber security risk that can affect Bluetooth Low Energy communications technology used in certain medical devices. According to FDA, this vulnerability can allow unauthorised users to wirelessly crash the device, stop it from working, or access device functions normally only available to the authorized user.

Bluetooth Low Energy (BLE) is a wireless communication technology, which allows devices to pair and share information to perform their intended functions while preserving battery life. This technology can be found in implanted medical devices such as insulin pumps, stimulators, pacemakers, glucose monitor as well as other devices like consumer wearables and Internet of Things (IoT) devices.

SweynTooth flaw affected medical devices manufactured by seven companies

FDA said that so far, they are not aware of any instance of hackers exploiting the security flaw; however, malware to use these flaws in certain situations is publicly available. So far, they have listed seven manufacturers of microchips that are affected: Cypress, NXP, Telink Semiconductor, STMicroelectronics, Texas Instruments, Dialog Semiconductors and Microchip.

Their microchips are available in devices that are implanted in or worn by patients such as pacemakers, stimulators, blood glucose monitors and insulin pumps. Larger devices such as electrocardiograms, monitors and diagnostic devices like ultrasound devices also contain these microchips.

FDA, however, has mentioned that these microchips manufacturers are already aware of the security threat and have released patches to address the issue. They are also looking into their products that may have been affected by SweynTooth.

Manufacturers must proactively secure connected devices

Suzanne Schwartz, M.D., MBA, deputy director of the Office of Strategic Partnerships and Technology Innovation in the FDA’s Center for Devices and Radiological Health said that “medical devices are becoming increasingly connected, and connected devices have inherent risks, which make them vulnerable to security breaches. These breaches potentially impact the safety and effectiveness of the device and, if not remedied, may lead to patient harm.

“The FDA recommends that medical device manufacturers stay alert for cybersecurity vulnerabilities and proactively address them by participating in coordinated disclosure of vulnerabilities as well as providing mitigation strategies. An essential part of the FDA’s strategy is working with manufacturers, health care delivery organizations, security researchers, other government agencies and patients to address cybersecurity concerns that affect medical devices in order to keep patients safe.” She added.

The FDA mentioned that it will continue its ongoing work with manufacturers and health care delivery organizations, as well as security researchers and other government agencies, to help develop and implement solutions to address cybersecurity issues throughout a device's total product lifecycle.

ALSO READ: Medtronic cardio defibrillators vulnerable to MITM attacks & hacking

MORE ABOUT: