SweynTooth Exploit Leaves Medical Hardware Vulnerable to Cyberattacks
Vincent Charbonneau posted on March 25, 2020 |
SweynTooth has the potential to cause havoc for many IoT and Bluetooth devices

Technology’s influence on medicine has helped to increase human life spans, improve the quality of life of billions, and cure horrific illnesses. From the implementation of basic sanitation systems in centuries past to the modern development of advanced pharmaceuticals and prosthetics that have sharply reduced human suffering, the infusion of technology within the medical field has always been to the benefit of humanity. But will that always be the case?

As the march of progress continues to refine our medical machines and systems, dangerous and potentially life-threatening vulnerabilities are beginning to make their way into our increasingly connected and complex medical machinery. The recently discovered “SweynTooth” cybersecurity exploit is one such threat.

According to a recent news release from U.S. Food and Drug Administration (FDA), “SweynTooth affects the wireless communication technology known as Bluetooth Low Energy (BLE). BLE allows two devices to ‘pair’ and exchange information to perform their intended functions while preserving battery life, and can be found in medical devices as well as other devices, such as consumer wearables and Internet of Things (IoT) devices.”

BLE messages exchange diagram. (Image courtesy of ASSET Research Group.)
BLE messages exchange diagram. (Image courtesy of ASSET Research Group.)

SweynTooth is able to take advantage of up to 12 vulnerabilities across various BLE software development kits (SDKs) of seven major system-on-a-chip (SoC) manufacturers: Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor.

A report from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) outlines some of the exploits and their worrisome effects, which include:

  • Crash from Link Layer Length Overflow: An attacker can crash the affected device by triggering hard faults. If such a crash occurs, the device may restart. The capability to restart depends on correct hard-fault handling mechanisms being implemented in the product using devices with the vulnerable BLE SoC.
  • Unexpected Public Key Crash: Assailants in radio range can exploit this vulnerability to cause a denial-of-service condition. The device may not properly handle hard faults and can enter a deadlock state, which may require a manual restart.
  • Link Layer LLID deadlock: The availability of BLE products could be critically impaired, likely requiring users to manually perform a power cycle on the product to reestablish BLE communication.
  • Crash from Key Size Overflow: This exploit allows an attacker in radio range to perform buffer overflow and crash products with pairing support enabled, which is a common practice in several BLE products. In the worst case, it could be possible to overwrite buffers that store encryption nonce, which could allow the attacker to bypass encryption and leak user information.
  • Deadlock from Invalid Connection Request: This is a denial-of-service condition in the affected products using the vulnerable SoCs. Crashes originating from hard faults, if not properly handled, can become a deadlock if the device is not automatically restarted. In most cases, when a deadlock occurs, the user is required to manually power off and power on the device to reestablish proper BLE communication.
  • Security Bypass from Zero LTK Installation: This enables cybercriminals to bypass the latest secure pairing mode of BLE, that is, the Secure Connections pairing mode. Such an attacker in radio range may then have arbitrary read or write access to the device’s functions.

All of this means that if SweynTooth is allowed to infect medical devices equipped with BLE, it can let unauthorized users—be they cybercriminals or worse—remotely crash, lock out, or access device functions normally only available to authorized users. And with the current COVID-19 pandemic in progress, the potential to spark a conflagration of chaos in hospitals that are already coming under strain from the virus is all too real. It is also important to note that medical devices are not the only technology at risk. As it turns out, many categories of wearables and other BLE devices may also be in peril.

Thanks to a rigorous series of test attacks on different types of hardware, ASSET Research Group was able to discover that there are many variants of IoT-enabled gadgets that can fall prey to the SweynTooth exploit. The key factor linking each category of susceptible devices is the fact that they all utilize SoCs from the aforementioned seven major manufactures.

The popular Fitbit Inspire (launched in 2018) uses the Cypress PSoC 6 as its main processor, therefore leaving it open to attack by Link Layer Overflow and LLID deadlock exploits. “To verify what happens to the wearable when both issues are exploited, we have sent malicious packets to the Fitbit Inspire smartwatch through the BLE communication channel,” states ASSET’s publication.

“Once the malicious packets are sent to the device, it is possible to trigger either a buffer overflow in device’s memory or deadlock its Bluetooth stack temporarily. The former attack (exploiting Link Layer Overflow) immediately restarts the device, whereas the latter (exploiting LLID deadlock) disables its Bluetooth advertisement for about 27 seconds before the smartwatch is automatically restarted by the firmware.”

An illustration of products that are vulnerable to SweynTooth. (Image courtesy of ASSET Research Group.)
An illustration of products that are vulnerable to SweynTooth. (Image courtesy of ASSET Research Group.)

Another device identified as “at risk” is the CubiTag Bluetooth tracker. The tracker operates by proximity: objects that have been tagged with the tracker can be located by using a mobile app that searches for the tracker and causes it to emit an audible alarm, making it easy to find the object in question. The problem is that the CubiTag relies on a vulnerable TI CC2640R2 SDK.

“Out of two vulnerabilities on this SDK, only the Public Key Crash affects availability of CubiTag. The CubiTag immediately stops advertising itself and is never found by the mobile app again; hence, it is deadlocked. The CubiTag device only works again by manually opening it with a screwdriver and re-inserting its battery. This is for the tracker SoC to reboot properly and to establish normal BLE connection,” cautions ASSET.

The good news is that the situation is not as bleak as it may seem. CISA is already engaged in a coordination effort with multiple stakeholders to establish potential mitigation strategies. The BLE SoC manufacturers employing software development kits (SDK) that are known to be in jeopardy of SweynTooth exploitation have already issued notifications to users and have begun to develop and release software patches that can safeguard their products.

CISA recommends that users first install the updates in a test development setting that reflects their production environment prior to installation. Additionally, users are advised to evaluate the possibility and safety of disabling the use of the affected wireless communications protocol, as well as to apply available recommendations from individual SoC manufacturers. It is also critical to update (or create a plan to update) to the latest available patch level to mitigate the vulnerabilities for affected systems and devices.

Patches available by SoC vendors as of March 17, 2020. (Image courtesy of ASSET Research Group.)
Patches available by SoC vendors as of March 17, 2020. (Image courtesy of ASSET Research Group.)

Lastly, you may be wondering … what’s with the name “SweynTooth”?

The answer, provided by ASSET, actually makes perfect sense: “The insight behind the name SweynTooth arrives from Sweyn Forkbeard, the son of King Harald Bluetooth (after whom the Bluetooth Technology was originally named). Sweyn revolted against Harald Bluetooth and this forced King Harald to his exile. The exile led to the death of King Harald. We envision that if SweynTooth style vulnerabilities are not appropriately handled by BLE vendors, then the technology can become a breeding ground for attackers. This may, in turn, lead the Bluetooth technology to be obsolete.”

Let us hope that day never comes, given how central a role Bluetooth technology plays in our hyper-connected world.

Recommended For You