The U.S. Food and Drug Administration recently put medical device manufacturers, suppliers, patients and healthcare providers on notice regarding a family of 12 wireless communication vulnerabilities that have been dubbed SweynTooth.
These security gaps are associated with the use of Bluetooth Low Energy (BLE) wireless communication technology that allows devices to pair and exchange information more efficiently – preserving battery life.
And while these vulnerabilities are present in a number of consumer devices utilizing connected or Internet of Things technology, the biggest cause for concern is that hackers could target wearable medical devices like pacemakers, blood glucose monitors or insulin pumps.
Exploiting the SweynTooth vulnerabilities could allow an unauthorized user to wirelessly access the device in completely disabling or crashing it, freezing or pausing its’ functionality, and/or bypassing security protocols in messing with device settings or functions.
Just as alarming is that according to the FDA, the software which would be needed to perform these breaches is easy to obtain and use.
In establishing the first line of defense against possible attacks, the FDA is reaching out to manufacturers of the microchips used in many of these devices. These chipmakers include Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor.
In addition to smaller, wearable devices, the SweynTooth vulnerabilities have also been identified in larger pieces of medical equipment, including electrocardiograms, patient monitoring devices and ultrasounds.
Beyond chip makers working with their customers at the device design and production level, the FDA is also looking for medical device manufacturers to reach out to their healthcare provider customers in finding ways to help reduce patient risk.
In the short term this will include developing a risk assessment plan for patients and developing patches that won’t allow hacker software to leverage these vulnerabilities.
To date, the FDA is not aware of any incidents related to SweynTooth.