Ian Bolland spoke to Chris Risley, CEO at Bastille Networks, about medical devices at risk of being compromised by SweynTooth vulnerabilities, highlighting how hackers can be combatted from targeting devices and healthcare systems.
Firstly, what is SweynTooth?
Three researchers from the Singapore University of Technology and Design (SUTD), Matheus Garbelini, Sudipta Chattopadhyay, and Chundong Wang, have made details of the vulnerabilities available having notified impacted manufacturers late last year.
The name “SweynTooth” covers a dozen flaws in the software development kits (SDKs) responsible for supporting Bluetooth Low Energy (BLE) communications that are provided by vendors of system-on-a-chip (SoC) chipsets. The vulnerabilities are believed to be on more than 480 different end-user devices. Six of the SoC manufacturers who were notified last year of the vulnerability and have released patches include Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics. Most BLE devices will remain unpatched for months or years as the chip manufacturers have to get their patches to the device manufacturers. The device manufacturers have to distribute the firmware updates to their customers. BLE device end-users are notoriously slow to reflash their firmware. There are many other impacted vendors and the researchers say they will release their names when those manufacturers release patches. Researchers also hinted that there are additional attack vectors against BLE devices which are still under non-disclosure.
How is it used to hack medical devices and the networks of healthcare organisations?
The Singapore researchers discovered that the SweynTooth vulnerabilities allow attackers to use radio signals to bypass security, and take control of, or shut down Bluetooth Low Energy devices. The SweynTooth BLE vulnerability is particularly stealthy because BLE connections are invisible on the corporate network. Once the attackers have a compromised device inside your facility they can use it as a beachhead to attack other systems. Devices can be compromised outside the facility, unbeknownst to their users, and then be carried in on the wrists or ears of innocent users.
Which medical devices are most at risk?
Devices that are implanted in or worn by patients: pacemakers, stimulators, blood glucose monitors and insulin pumps or larger devices that are in healthcare facilities: electrocardiograms, monitors and diagnostic devices like ultrasound devices.
How can device manufacturers and healthcare organisations guard against it?
More information about the vulnerabilities, available patches and affected devices can be found on the ASSET Research Group SweynTooth disclosure website.
Can consumers who use wearables and the like guard against it in any way?
Users will have to wait on device manufacturers to provide updates to Bluetooth firmware, but as this is a chip-level device issue, the manufacturers are also dependent on the chip manufacturers to make patches available to them. Consumers should contact manufacturers for the latest updates and timelines on updates being made available.
Tell us about Bastille’s solution. How can it stop such attacks?
Only Bastille sees Bluetooth Low Energy devices all the time, even when they are paired. Other vendors may claim Bluetooth Low Energy device visibility, but they are only detecting them when the devices are in “advertising mode.” Once the BLE device finds a partner and pairs with it, those devices disappear from the competitors’ screens. Only Bastille continues to locate both ends of the BLE pair throughout the pairing connection.
Bob Baxley, Bastille’s chief technical officer, said: “Following the announcement of SweynTooth, Enterprise CISOs are asking their security teams to conduct a complete inventory of their airspace to detect and locate ALL the Radio Frequency devices within their enterprise, including Bluetooth Low Energy devices, so they can determine which devices may be affected. Only Bastille can detect and accurately locate every Bluetooth-based device on a floor plan, whether or not it is pairing at the time of the inventory, so that they can be investigated and patched or removed from the environment.
“SweynTooth, the Phillips Hue vulnerability Zigbee Worm, BleedingBit, BlueBorne, MouseJack, and KeySniffer are all examples of how immature security is for Radio Frequency protocols. Ethernet and IP Protocols have undergone decades of battle-hardening. Even Wi-Fi has been heavily used for 20 years. These protocols had lots of security vulnerabilities when they were young but researchers have discovered those vulnerabilities and most have been patched. Widespread Bluetooth and BLE adoption are more recent and as a result, we’re still discovering very large security holes in those protocols. I have no doubt that similar huge security holes will be discovered in the more than 100 new radio protocols used by IoT devices. Bastille can tell you which devices in your facility--both on and off your network--are susceptible to a radio frequency (RF) attack. It is critical that CISOs understand their RF attack surface in order to maintain a secure perimeter.”
What went into developing the Bastille solution?
Bastille was established in 2015 to research threats and develop solutions for the ever-growing number of threats from unmanaged and managed RF devices (using IoT, Cellular, Wi-Fi and Bluetooth) in client facilities. Since then, we have raised over $45 million in venture capital and been granted over 20 patents, with more pending. Customers deploy a series of Software Defined Radio (SDR) sensor arrays around their buildings, which then sends information back to our Fusion Centre (on premise or in the cloud) for processing. With this system, customers can Detect, Locate and Alert on all the RF devices, including BLE and Bluetooth devices in their environments, and also provide device information such as manufacturer to enable an audit to be completed to assess the risk from SweynTooth vulnerable devices.
Are there other notable and worthy details not covered worth highlighting for our readers?
The SweynTooth BLE vulnerability is particularly troublesome because it's hard to locate all the devices in your environment that use BLE. When BLE devices pair with another device, they stop advertising their existence. This means that most BLE devices are invisible in healthcare environments. However, these SweynTooth vulnerabilities allow attackers to use radio signals to bypass security, and take control of or shut down Bluetooth Low Energy devices.
Once the attackers have a compromised device inside healthcare facilities, cybercriminals can then use it as a beachhead to attack other systems. Further, devices can be compromised outside healthcare facilities unbeknownst to their users and then be carried in on the wrists or ears of innocent users. Only Bastille can detect and accurately locate every Bluetooth-based device on a floor plan, whether or not it is pairing at the time of the inventory, so that they can be investigated and patched or removed from the environment.