HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

‘SweynTooth’ Vulnerabilities in Bluetooth Low Energy Chips Affect Many Medical Devices

12 vulnerabilities – collectively called SweynTooth – have been identified by researchers at the Singapore University of Technology and Design which are present in the Bluetooth Low Energy (BLE) software development kits used by at least 7 manufacturers of software-on-a-chip (SOC) chipsets.

SOCs are used in smart home devices, fitness trackers, wearable health devices, and medical devices and give them their wireless connectivity. SoCs with the SweynTooth vulnerabilities are used in insulin pumps, pacemakers, and blood glucose monitors as well as hospital equipment such as ultrasound machines and patient monitors.

It is not yet known exactly how many medical devices and wearable health devices are impacted by the flaws as manufacturers obtain their SoCs from several sources. Some security researchers believe millions of medical devices could be vulnerable. SoCs are used in around 500 different products. Hundreds of millions of devices could be affected.

The vulnerabilities are present in SoCs from Cypress, Dialog Semiconductors, Microchip, NXP Semiconductors, STMicroelectronics, Texas Instruments, and Telink Semiconductor. The vulnerabilities have been assigned CVSS v3 base scores ranging from 6.1-6.9 out of 10.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

7 of the vulnerabilities could be exploited to crash vulnerable devices, which would stop the devices communicating and may cause them to stop working entirely. 4 vulnerabilities could be exploited to deadlock devices, causing them to freeze and stop functioning correctly. One vulnerability could result in a security bypass which would allow an attacker to gain access to device functions that are usually only accessible by an authorized device administrator. The flaws can be exploited remotely by an attacker, although only if the attacker is within radio range of a vulnerable device. The range of BLE varies from device to device, with a maximum range of less than 100 m (328 ft).

Both the U.S. Food and Drug Administration (FDA) and the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA) have issued alerts about the vulnerabilities this week. The FDA explained that affected device manufacturers have been notified about the flaws and are assessing which devices are affected. Mitigations are being developed that can be implemented to reduce the risk of exploitation until patches are released to correct the flaws.

Cypress, NXP, Texas Instruments, and Telelink have already released patches to correct the flaws. Dialog has issued two patches, with the remaining patches scheduled to be released by the end of March 2020. Currently, patches have yet to be released by Microchip and STMicroelectronics.

The FDA has advised device manufacturers to conduct risk assessments to determine the potential impact of the flaws. Healthcare providers have been advised to contact the manufacturers of their devices to find out if they are affected, and the actions they need to take to reduce the risk of exploitation. Patients have been advised to monitor their devices for abnormal behavior and to seek medical help immediately if they feel their medical devices are not functioning correctly.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.