Bluetooth Standards Are Reshaping Medical Devices

The Internet of Things (IoT) has brought about new applications for connected devices. Manufacturers are moving beyond headsets and keyboards. One of these new use cases stands out in particular: applications that rely less on continuous streaming and periodically relay small amounts of data instead.

This is especially true in sensor applications where a remote peripheral is relaying information about its surroundings - such as a thermostat, security sensor, or a medical monitoring device.

At the same time, an advance in the Bluetooth standard is making these new applications possible.  

A Brief History of Bluetooth Classic and Bluetooth Low Energy    

Bluetooth feels like it has been around forever. In fact, the original specification has been around since 1998 and the first hands-free headsets appeared on the market in 1999. Since then, it’s been used to connect everything from computer mice and keyboards to portable speakers and headphones. Bluetooth Classic, as it’s now called, covers a range of 79 channels and can transmit up to 3Mb/s up to 50 meters - making it useful for data transmission, streaming audio, and sharing pictures with other smartphones, among other things.  

While many devices using Bluetooth Classic are battery operated (at least the peripherals), power was never an issue - since the components were designed for easy recharging and battery replacement. It didn’t matter if your computer mouse’s battery only lasted a few days. You could just plug in a charging cable or swap out the batteries.

A new standard, Bluetooth Low Energy (BLE), has emerged to support lower bandwidth rates, ranging from 125 Kb/s up to 2 Mb/s, including a new connectionless mode in addition to the connection-oriented mode of Classic. The biggest advancement in BLE is its power-saving capability to power devices for much longer.

By default, BLE peripherals sleep until they’re ready to transmit data. Combined with lower power utilisation during transmission at the lower data rates, power consumption of BLE devices is typically only 1-5% of devices using Bluetooth Classic. Their power drain is in the range of 15-20 microamps, meaning a standard button cell can power most BLE devices for years.  

Reshaping the Internet of Medical Things 

Reasonable data transfer rates coupled with low power consumption make BLE devices attractive for consumer applications, such as headphones and thermostats, but that’s only part of the story. Those same attributes also make BLE ideal for connected medical devices - otherwise known as the Internet of Medical Things (IoMT).

A glucose monitor, for example, can use BLE to relay glucose levels to a smartphone for convenient monitoring. In a hospital setting, inexpensive BLE tags attached to devices can make inventory tracking and location much easier. Moreover, BLE’s support for large numbers of connected peripherals makes it even more valuable in a clinical or hospital setting, which may involve hundreds (or thousands) of connected medical devices. Think about a nurse’s monitoring station, for example. With BLE, you can have all the floor’s ECGs and other patient monitoring devices relaying telemetry information to a central place. It's the same idea behind health-related wearables such as heart monitors and fitness watches - all of which relay pulse information over BLE. 

Dispensing with cables, bulky batteries, and enabling smartphone communication is a giant step forward. But as with any innovation, there are inevitable risks. And in the case of medical devices, these risks don’t simply cause inconveniences like diminishing audio quality or battery life. When it comes to the IoMT, device risks can directly jeopardise patient safety.  

Cyber Security in the Internet of Medical Things  

For connected medical devices, cyber attacks are a massive threat to patient safety. For example, an attack against a BLE radio interface can interfere with the essential performance of a IoMT device - which could harm or potentially kill a patient. Multiple vulnerabilities like these have already been discovered in Bluetooth-enabled medical devices, leading to widely publicised disclosures, mandatory mitigations, and device recalls.

One of the most impactful examples is the SweynTooth vulnerabilities which impacted a number of BLE IoMT devices. The impact was so severe that the FDA published a safety communication to medical device manufacturers, warning of the dangers imposed if one of the vulnerabilities were triggered - which could crash, deadlock, and freeze devices, or even enable an attacker to bypass its security safeguards.  

The biggest lesson from SweynTooth (and other vulnerabilities like it) was that it made manufacturers aware of upstream vulnerabilities in the supply chain.

As concerning as the vulnerabilities were, medical device manufacturers didn’t write the flawed code. In fact, they were unaware they existed. They simply sourced a Bluetooth System on Chip (SoC) from a trusted, well-known electronic component manufacturer and included it in their device. The SoCs delivered the vulnerabilities. There simply wasn’t enough security testing performed prior to product shipment, which puts every system they’re included on at risk. 

Uncovering Hidden Vulnerabilities With Protocol Fuzzing  

The SweynTooth vulnerabilities affected several experienced manufacturers, including Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics, and Telink Semiconductor. How were so many different manufacturers impacted? The problem is that the vulnerabilities were hidden in the protocol stacks, making it incredibly difficult to detect and diagnose.

While the security community has developed a series of best practices for discovering application-level vulnerabilities - including common tactics and databases of threat libraries which can be crossed-checked with application software and libraries - protocol-level vulnerabilities are much harder to pinpoint.

In fact, there’s only one way to adequately test for these kind of vulnerabilities: an exhaustive testing mechanism known as protocol fuzzing.  

In layman’s terms, protocol fuzzing involves systematically injecting various errors into a communication exchange to confuse the entity at the other end of a connection and put it into an incorrect state. This can involve fairly simple errors, such as sending multiple copies of a packet, or can entail more sophisticated corruptions of a protocol. Here are a few examples: 

  • The flags indicating the beginning and end of a connection can be set in a single packet. 
  • Fields within a packet can be too large or too small. 
  • Fields within a packet can be set to invalid values. 
  • Packets can be delivered out of order.  

In many cases, the “handshake”, which occurs at the beginning of a connection to establish security, encryption, and other communication parameters, is an easy target for exploitation. Since the remote device is configuring itself based on settings established during the handshake, specially corrupted packets (or packet sequences) can cause shutdowns or communication errors, which need to be manually reset.  

In a worst-case scenario, an attacker could target the handshake itself, as documented in CVE-2019-19194. Since the handshake establishes security and encryption parameters, an attacker can bypass the controls which would normally restrict certain actions and enable arbitrary control of the system. For IoMT devices in particular, this could have obvious and disastrous impacts. An attacker could instruct the device to report incorrect telemetry data, ignore other commands, violate patient privacy rules by reporting data to an unauthorised system, or even administer a potentially lethal medication dose.  

Securing Protocol-level Vulnerabilities In BLE-enabled IoMT Devices   

Clearly, this type of vulnerability is a serious concern for medical device manufacturers - as reflected by the FDA’s focus in the USA and similar regulatory scrutiny worldwide. But what’s the best way to protect connected devices? For starters, that means implementing validation and verification strategies to identify vulnerabilities in SoC protocol stacks. Manufacturers need to serve as the last line of defence. After all, they’re the ones on the hook to rapidly distribute warning communications, mitigation strategies, and remediation firmware updates for impacted devices to patients and care providers. And, as noted in the above example, even the most well-resourced suppliers aren’t immune from delivering vulnerable chipsets.  

However, security is a journey, not a destination. That’s why, at minimum, device manufacturers must insist on remedial updates from chipset vendors prior to product release. And, at the same time, they must also take it upon themselves to conduct extensive protocol fuzzing assessments of their devices - while including their validation and verification strategies in FDA pre-market clearance submissions.  

As BLE connectivity for IoMT devices becomes more prevalent, protocol fuzzing validation will become even more critical in maintaining patient safety and trust in advancing technologies.

Fortunately, protocol fuzzing toolkits are becoming more widely available and easier to use - even for quality control teams who have little to no experience in cyber security. And given the time it may take for a chipset vendor to thoroughly reproduce, diagnose, remedy, and validate vulnerabilities, the time to start the process of testing products in the development pipeline is now.

One need only look to SweynTooth to see that the later a vulnerability is found, the more costly the impact of remediation.   

Scott Register is Vice President of Security Solutions at Keysight Technologies

You Might Also Read: 

Protecting Medical Devices From Cyber Attacks:

 

« EU Still Blocking Social Media Users' Data Transfer
Insurers Will Exclude Some Nation-State Cyber Attacks From Cover »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Dark Reading

Dark Reading

Dark Reading is the most trusted online community for security professionals.

Thinklogical

Thinklogical

Thinklogical manufactures secure, KVM, video, audio, and computer peripheral signal switching solutions for defence C4ISR applications.

Cybonet

Cybonet

Cybonet provides easy to deploy, flexible and scalable security solutions that empower organizations of all sizes to actively safeguard their networks in the face of today’s evolving threats.

Virtru

Virtru

Virtru's Data Protection platform protects and controls sensitive information regardless of where it's been created, stored or shared.

Cybersecurity & Infrastructure Security Agency (CISA) - USA

Cybersecurity & Infrastructure Security Agency (CISA) - USA

CISA leads the national effort to defend critical infrastructure against the threats of today and to secure against the evolving risks of tomorrow.

Procsima Group

Procsima Group

Procsima Group was created to help you achieve good IT management and security excellence.

CyberInsureOne

CyberInsureOne

At CyberInsureOne, we break down the complex world of cyber insurance, and connect you with providers that can give you and your company peace of mind.

Phoenix Cybersecurity

Phoenix Cybersecurity

Phoenix Cybersecurity Services and Managed Security Services help clients just like you take full advantage of leading cybersecurity technologies and industry best practices.

Sovrin Foundation

Sovrin Foundation

The Sovrin Foundation is a private-sector, international non-profit that was established to govern the world's first self-sovereign identity (SSI) network.

Canopius Group

Canopius Group

Canopius is a global specialty lines insurance and reinsurance company and one of the top 10 insurers in the Lloyd’s insurance market.

Spyderbat

Spyderbat

Spyderbat ATI closes the manual investigation gap between detection and response by instantly presenting causally connected threat activity to security analysts at the onset of an investigation.

Armata Cyber Security

Armata Cyber Security

Armata exists to bring Cyber Security to all people – from home users and SMBs to large enterprises. We believe all users have the right to an affordable yet effective Cyber Security solution.

Finlaw Associates

Finlaw Associates

Finlaw Associates is a trusted cybercrime law firm providing a wide range of taxation, legal, advisory and regulatory services to the financial, commercial and industrial communities.

Alcatel-Lucent Enterprise (ALE)

Alcatel-Lucent Enterprise (ALE)

We are Alcatel-Lucent Enterprise. Our mission is to make everything connect with digital age networking, communications and cloud solutions.

Two Candlesticks

Two Candlesticks

Two Candlesticks is a global cybersecurity service provider delivering high level consultancy, strategy, and frameworks to governments, regulators and midsized companies.

Whiteswan Identity Security

Whiteswan Identity Security

At Whiteswan, we are committed to protecting the digital landscapes of modern enterprises with adaptive, identity-first security solutions that ensure trust, compliance, and resilience.