Elise Balin
Staff Writer
The Food and Drug Administration (FDA) warns patients and medical professionals about cybersecurity vulnerability issues in the Bluetooth Low Energy (BLE) connection technology used in medical devices.
Medical devices that use BLE connections include devices that are implanted and worn, including pacemakers, stimulators, insulin pumps, glucose monitors and ultrasound devices. The FDA identifies these vulnerabilities as SweynTooth, which includes three classes of issues.
“BLE allows two devices to “pair” and exchange information to perform their intended functions while preserving battery life and can be found in medical devices as well as other devices, such as consumer wearables,” stated an FDA press release.
Mike Borowczak, director of the University of Wyoming’s Cybersecurity Education and Research Center (CEDAR), identified SweynTooth as a collection of 12 vulnerabilities that do one of three things. The three classes within SwyenTooth include crashing the device, deadlock and security bypasses. Crashing the device causes the device to crash and not restart, and a deadlock causes the device to crash and be unable to restart. The last class, security bypass, is considered the most dangerous.
“The last attack, security bypass, is the most dangerous because if someone can bypass a security system, they can link to a Bluetooth device and then control it,” said Borowczak.
BLE is also found in many devices that do not fall into the medical device category and cybersecurity threats are present in all devices that use this form of connection.
For an individual to hack a device that uses BLE communications technology, they must be within 100 meters. Borowczak used an example of connections, such as Bluetooth speakers, which will connect to a device in the same range that is needed for an attack on a medical device to occur. He said, however, this is not something for people to be concerned about in regards to someone hacking the device from across the world.
Borowczak said this issue has great importance because the codes researchers at Singapore University used to hack BLE devices are published and available to the public. Borowczak said it would not be a difficult task to hack into a BLE medical devices system because of this publication.
“It would be something a college student could pull off, and maybe even a high school student given all the resources, and they wouldn’t actually have to know all the technical details…they would just need to know how to program a device,” said Borowczak.
Borowczak said at least 480 different products use BLE technologies which are affected by SweynTooth concerns. BLE is used in medical devices but also a list of devices including Fitbits, Smart Plugs, Smart Locks, tracking devices and TSA smart locks. Borowczak said people can combat these cybersecurity issues by updating device software.
“It can be really annoying dealing with updates, but that is the one way that you can try to keep yourself secure,” said Borowczak.
Because technology is so integrated into daily life, Borowczak said products that come from smaller or less known manufactures may come at a risk.
“Buying from manufacturers that are bigger and well known has its advantage, and one of the things people tend to do is find the absolute cheapest option for something and it always comes at a risk. If you get a product that you have no idea where it is coming from, it might not actually be a legitimate product, that may not have updates. . . so buying from a quality name brand will keep you a little more protected,” said Borowczak.
The FDA stated they recommend manufactures stay alert to combat these cybersecurity issues and patients with medical devices which use BLE communicating systems should talk with medical providers about security concerns.
