The U.S. Food and Drug Administration (FDA) and the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA) have issued alerts about a group of 12 vulnerabilities dubbed SweynTooth. The SweynTooth flaws are present in certain Bluetooth Low Energy (BLE) chips which are used in a wide range of devices to provide wireless connectivity. At least 480 products use BLE chips and hundreds of millions of devices could be affected.
The chips are used in wearable health devices which communicate with smartphones via Bluetooth, and also in certain medical devices including pacemakers, insulin pumps, and blood glucose monitors as well as hospital equipment such as ultrasound machines and monitors. It is not yet known how many medical devices are affected.
The flaws could be exploited to crash vulnerable devices, deadlock devices to stop them functioning, or to bypass security controls and gain access to device controls and change functions on vulnerable devices. In order to exploit the flaws, an attacker would need to be within radio range of a vulnerable device, which will limit the potential for exploitation.
According to the FDA and CISA, the SweynTooth vulnerabilities affects at least 7 BLE system-on-a-chip manufacturers: Cypress, Dialog Semiconductors, Microchip, NXP Semiconductors, STMicroelectronics, Texas Instruments, and Telink Semiconductor.
The vulnerabilities were discovered by researchers at the Singapore University of Technology and Design, although CISA said not all of the affected vendors were notified before the report was published. CISA said in its alert that contact has now been made with some of the affected vendors to alert them to the problem and patches have started to be issued to correct the flaws. Patches have been released by Cypress, NXP, Texas Instruments, and Telelink at the time of publication. The other affected medical device manufacturers are assessing the impact of the flaws and are working on patches.
Manufacturers of the chips and affected devices have been advised to conduct a risk assessment to determine how their chips or products are affected and to develop mitigations that can be implemented to reduce the risk of exploitation of the flaws until patches can be released to permanently correct the flaws.
Healthcare providers have been advised to contact their device manufacturers to determine which devices are affected and what needs to be done to correct the flaws. They have been instructed to contact patients who are using vulnerable devices and explain the steps they can take to reduce risk. Patients have been advised to seek medical help immediately if they feel their medical devices are not functioning properly and to monitor for unusual behavior.