Bluetooth Cybersecurity and Sweyntooth

At Promenade Software, we are seeing an explosion of Bluetooth communications as a fundamental part of new medical devices.  There are some wonderful advantages of Bluetooth – allowing manufacturers to incorporate powerful, inexpensive commercial devices (Android, iOS) as part of their devices, without wires and network worries.

The BLE (BlueTooth Low Energy) 5.0 specification presumably keeps communications secure. But recently, a serious vulnerability was disclosed. The vulnerability is called KNOB – it exposes a weakness in the design which allows the encryption key length to be negotiated to be down to a point of being worthless during the pairing process.  This would allow for an attacker to quickly brute force the key, breaching the security.

Just recently, a new class of vulnerabilities has been disclosed, called SweynTooth .  Named after Sweyn Forkbeard, the son of King Harald Bluetooth (after whom Bluetooth Technology was named), Sweyn revolted against his father forcing his exile and leading to his ultimate death.   Sweyntooth describes implementation flaws in many highly used, certified BLE software stacks from the major manufacturers including Cypress,TI, NXP, and STMicro to name a few.  These affect almost all BLE devices in the field, including Medical Devices.

Bluetooth communications as a fundamental part of new medical devices.

Blood Glucose readers, an MRI machine, and an inhaler are medical devices listed as affected so far but more will be forthcoming. These security flaws are broad and can cause deadlock, crashes, unpredictable behavior and security breaches in the devices, if attacked.  For medical devices, these security flaws can potentially cause harm.

The researchers attribute many of these flaws to inadequate specification of the edge cases, such as handling of partial packets, and inadequate testing in the certification process of the Bluetooth stack. Clearly, this will be addressed in time and some vendors have already issued new stack releases.  

So what can you do to ensure the cybersecurity of your device when these vulnerabilities keep arising?  At Promenade, we have a 3-prong approach to cybersecurity that we are happy to share:

 

1.     A belt and suspenders or “Defense in Depth” strategy.  We like to use application layer encryption as well as the BLE encryption when possible.

2.     Monitor.  Monitor for known vulnerabilities and for updates to the vendors’ libraries to make sure that any issues addressed are incorporated.

3.     Upgrade support of all software and firmware including the BLE stack and that the images are properly authenticated.

 

Nothing can predict or prevent new vulnerabilities in connected products, but preventative actions can greatly reduce your exposure, and at least increase the sophistication required of the attacker. If you want more information regarding Bluetooth, click to read our Bluetooth Connectivity blog post or visit our blog homepage to learn more about how Promenade will help you identify the best approaches to your device's cybersecurity.

 

 

 

 

 

Need help on this topic?
Contact Us
Frances Cohen

Frances Cohen is President of Promenade Software Inc., a leading software services firm specializing in medical device and safety-critical system software. Frances has more than 20 years of experience leading software teams for medical device software. Starting with heart defibrillators for Cardiac Science  and following with  Source Scientific LLC and BIT Analytical Instruments Inc., Frances has overseen dozens of projects through development and the FDA, including IDEs, 510(k)s, and PMAs.  

Frances has a B.S. in computer engineering from the Technion, Israel Institute of Technology.

linkedin logo
About Promenade Software

Promenade Software, Inc. specializes in software development for medical devices and other safety-critical applications.
Promenade is ISO 13485 and 9001 certified.

American Systems registrar
Contact

Promenade Software, Inc.
16 Technology Drive, Suite 100
Irvine, CA 92618, U.S.A.
email: info@promenadesoftware.com
phone: (949) 333-4634
Contact Form