The Singapore University of Technology and Design researchers identified a group of 12 vulnerabilities referred to as SweynTooth in the Bluetooth Low Energy (BLE) software development kits that came from around 7 suppliers of software-on-a-chip (SOC) chipsets.
SOCs are components employed in smart home gadgets, wearable health devices, fitness trackers, and healthcare devices so that they could have wireless connectivity. SoCs that have the SweynTooth vulnerabilities are employed in pacemakers, insulin pumps, and blood glucose monitors in addition to hospital equipment like patient monitors and ultrasound machines.
The number of healthcare devices and wearable health devices affected by the vulnerabilities is not yet known as the distributors get their SoCs from various sources. Certain security researchers think millions of healthcare devices might be vulnerable. SoCs are employed in approximately 500 distinct products. Millions of devices may be impacted.
The vulnerabilities are found in SoCs that come from Cypress, Microchip, Dialog Semiconductors, NXP Semiconductors, Texas Instruments, STMicroelectronics, and Telink Semiconductor. The CVSS v3 base scores assigned to the vulnerabilities range from 6.1-6.9 of 10.
Attackers could exploit seven of the vulnerabilities to crash vulnerable gadgets, which would keep the devices from communicating and stop its function completely. Four of the vulnerabilities when exploited could deadlock devices, making them freeze and stop working accurately. One vulnerability may allow a security bypass thus an attacker could get access to device controls that only an authorized device administrator could access. An attacker could exploit the vulnerabilities remotely, however it’s only possible if he’s within radio range of a vulnerable unit. The range of BLE in devices is different, though the highest range is below 100 m (328 ft).
The Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA) and the U.S. Food and Drug Administration (FDA) have released notifications regarding the vulnerabilities within the week. The FDA stated that impacted device suppliers were notified regarding the vulnerabilities and are evaluating which products are impacted. Mitigations are being readied for implementation to minimize the possibility of exploitation until the release of patches to fix the vulnerabilities.
Cypress, NXP, Telelink and Texas Instruments have issued patches to fix the vulnerabilities. Dialog has released two patches while the outstanding patches are scheduled to be issued before March of 2020 ends. Right now, Microchip and STMicroelectronics have not yet released patches.
The FDA has instructed device makers to perform risk assessments to know the potential effect of the vulnerabilities. Healthcare organizations should get in touch with their device manufacturers to know if they are impacted by the vulnerabilities, and should take action to minimize the chances of exploitation. Patients should keep track of their devices for irregular behavior and to get medical help right away if they think their medical devices are malfunctioning.