Medical device makers race to understand scope of SweynTooth vulnerabilities

Medical-technology companies are working quickly to assess the cybersecurity of their health care devices following public disclosure this week of a suite of serious security problems in common low-energy Bluetooth communication systems.

Millions of devices, including many medical devices, could be hacked and shut down because of flaws in low-power versions of the ubiquitous wireless communications technology, researchers at the Singapore University of Technology and Design disclosed in a paper last month.

The report documented at least 12 different vulnerabilities that it collectively dubbed SweynTooth (pronounced "swain-tooth"), specifically calling out medical devices from Medtronic and VivaChek Biotech as being vulnerable.

Other companies' products may also be affected, but the work of assessing SweynTooth's impacts across med-tech is ongoing. As of today, the Food and Drug Administration cannot issue a full list of affected devices, because no such list exists — it's up to each manufacturer to assess impacts and decide if software patches are needed. The FDA announcement simply listed three common types of medical devices that could potentially be affected: pacemakers, glucose monitors and ultrasound devices.

Medtronic, run from offices in Minnesota, has confirmed some of its heart and diabetes devices are impacted, while GE Healthcare in Wisconsin said its ultrasound systems are not. Heart-device maker Boston Scientific has found no effects from SweynTooth. Abbott Laboratories is continuing to evaluate its products, but so far has detected no impacts for most of its devices, including the widely used FreeStyle Libre glucose monitor. China-based VivaChek Biotech is testing a software patch for affected blood-glucose meters that it plans to released by March 13.

No malicious attacks have been reported using the SweynTooth vulnerabilities, but the software tools are reportedly available online. Regulators said the vulnerabilities could allow an attacker to crash a vulnerable device or change its therapy settings. The researchers who discovered vulnerabilities warned that quick action is needed to avoid low-energy Bluetooth communications turning into a "breeding ground" for attackers.

Interviews with industry officials this week show that information about the vulnerabilities diffused informally though the med-tech community throughout February. FDA officials briefed medical device company officials at an industry meeting in February, and FDA's formal public announcement arrived on Tuesday. Wired magazine covered the story on Feb. 20.

The problems reside in complex electronic devices called "systems on a chip," or SoCs, made by large electronics manufacturers like Texas Instruments and Cypress NXP.

Ken Hoyme, director of product security at Boston Scientific, said that while the chip companies received advance notice about publication of the vulnerabilities, it's not clear that those manufacturers told their customers, including med-tech manufacturers.

The SweynTooth report disclosed that Medtronic buys Bluetooth Low Energy chips from Dialog Semiconductor in London. Dialog was informed of the vulnerabilities by the researchers, but Medtronic said it did not inform the device maker.

"We did not hear this from Dialog. However, we have been in regular communication with Dialog on the vulnerability," said Alex Kent, a director with Medtronic's product security and privacy division for heart devices.

Dialog did not respond to a request for comment.

Communication in the medical device supply chain ought to include newly discovered security vulnerabilities, said Beau Woods, CEO of information security consulting firm Stratigos Security. "In theory, when any of your supply chain finds out about an issue like that, they are supposed to tell you. In some cases they do, in some cases they delay, and sometimes they don't bother," Woods said.

Medtronic officials began testing for SweynTooth problems after learning about the vulnerabilities on Feb. 14. They found that their strategy of "defense by design" worked, because the devices keep working even if the Bluetooth connection is disrupted.

Two aspects of the defensive design Medtronic was willing to talk about publicly were its "zero trust" architecture and segmentation of functions: Inside a Medtronic heart device, the low-energy Bluetooth components are kept separate from the therapy module that interacts with the heart, and the therapy module can't take orders from Bluetooth components.

"You can't interrupt the functionality of the device through these or any other vulnerabilities in the Bluetooth module," Kent said.

Medtronic issued a security alert this week saying there are no plans to issue firmware updates for heart devices, but no decision has yet been made about diabetes devices. SweynTooth affects several models of pacemakers and defibrillators, and several components of its diabetes systems, but no Medtronic insulin pumps or continuous glucose monitor transmitters.

Bluetooth technology has long been known to be susceptible to attacks, according to a 2017 standards document from the National Institute of Standards and Technology.

"The medical device industry is under tremendous pressure," said Todd Carpenter, chief engineer at Minneapolis information security firm Adventium Labs. "Clinicians want things that are easy to use, that automatically work. And Bluetooth is set up so that it just automatically works. The downside is, that means its also automatically works for the attackers."

Joe Carlson • 612-673-4779