SWEYNTOOTH UPDATE

FDA issues press release on SWEYNTOOTH

SweynTooth Cybersecurity Vulnerabilities May Affect Certain Medical Devices: FDA Safety Communication

"The U.S. Food and Drug Administration (FDA) is informing patients, health care providers, and manufacturers about the SweynTooth family of cybersecurity vulnerabilities, which may introduce risks for certain medical devices. The FDA is not aware of any confirmed adverse events related to these vulnerabilities. Software to exploit these vulnerabilities in certain situations is already publicly available.”

Link to FDA full press release

SWEYNTOOTH ANNOUCEMENT

February 8, 2020

Three researchers from the Singapore University of Technology and Design (SUTD), Matheus Garbelini, Sudipta Chattopadhyay, and Chundong Wang, made details of the vulnerabilities available in February 2020, following a 90 day waiting period for Responsible Disclosure, having notified impacted manufacturers in late 2019. 

The name “SweynTooth” covers a dozen flaws in the software development kits (SDKs) responsible for supporting BLE communications that are provided by vendors of system-on-a-chip (SoC) chipsets. The vulnerabilities are believed to be on more than 480 different end-user devices. Six of the SoC manufacturers who were notified last year of the vulnerability and have released patches include Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics. Most BLE devices will remain unpatched for months or years as the chip manufacturers have to get their patches to the device manufacturers. The device manufacturers have to distribute the firmware updates to their customers. BLE device end-users are notoriously slow to reflash their firmware. There are many other impacted vendors and the researchers say they will release their names when those manufacturers release patches. Researchers also hinted that there are additional attack vectors against Bluetooth Low Energy devices which are still under non-disclosure.

More information about the vulnerabilities, available patches and affected devices can be found on the ASSET Research Group SweynTooth disclosure website.

“The Singapore researchers discovered that the SweynTooth vulnerabilities allow attackers to use radio signals to bypass security, and take control of, or shut down Bluetooth Low Energy devices,” said Chris Risley, CEO at Bastille Networks. “The SweynTooth BLE vulnerability is particularly stealthy because BLE connections are invisible on the Corporate Network. Once the attackers have a compromised device inside your facility they can use it as a beachhead to attack other systems. Devices can be compromised outside the facility, unbeknownst to their users, and then be carried in on the wrists or ears of innocent users.”

Only Bastille Sees Bluetooth Low Energy Devices All The Time, Even When They Are Paired 

“The SweynTooth BlueTooth Low Energy (BLE) vulnerability is particularly troublesome because it's hard to locate all the devices in your environment that use BLE,” said Chris Risley, CEO at Bastille Networks. “When BLE devices pair with another device, they stop advertising their existence. This means that most BLE devices are invisible in healthcare environments. However, these SweynTooth vulnerabilities allow attackers to use radio signals to bypass security, and take control of or shut down Bluetooth Low Energy devices.  Only Bastille can detect and accurately locate every Bluetooth-based device on a floor plan, whether or not it is pairing at the time of the inventory, so that they can be investigated and patched or removed from the environment.”

“Once the attackers have a compromised device inside healthcare facilities, cybercriminals can then use it as a beachhead to attack other systems, continued Risley, “further, devices can be compromised outside healthcare facilities unbeknownst to their users and then be carried in on the wrists or ears of innocent users.” 

Other vendors may claim Bluetooth Low Energy device visibility, but they are only detecting them when the devices are in “advertising mode”. Once the BLE device finds a partner and pairs with it, those devices disappear from the competitors’ screens. Only Bastille continues to locate both ends of the BLE pair throughout the pairing connection.

“Following the announcement of Sweyntooth, Enterprise CISOs are asking their security teams to conduct a complete inventory of their airspace to detect and locate ALL the Radio Frequency devices within their enterprise, including Bluetooth Low Energy devices, so they can determine which devices may be affected,” said Bob Baxley, Bastille’s Chief Technology Officer. “Only Bastille can detect and accurately locate every Bluetooth-based device on a floor plan, whether or not it is pairing at the time of the inventory, so that they can be investigated and patched or removed from the environment”.

Bob Baxley added, went on to say: “SweynTooth, the Phillips Hue vulnerability Zigbee Worm, BleedingBit, BlueBorne, MouseJack, and KeySniffer are all examples of how immature security is for Radio Frequency protocols. Ethernet and IP Protocols have undergone decades of battle-hardening. Even Wi-Fi has been heavily used for 20 years. These protocols had lots of security vulnerabilities when they were young but researchers have discovered those vulnerabilities and most have been patched. Widespread Bluetooth and BLE adoption are more recent and as a result, we’re still discovering very large security holes in those protocols. I have no doubt that similar huge security holes will be discovered in the more than 100 new radio protocols used by IoT devices. Bastille can tell you which devices in your facility--both on and off your network--are susceptible to RF attack. It is critical that CISOs understand their RF attack surface in order to maintain a secure perimeter.”

Bastille Enterprise: Bastille Enterprise is available now. Bastille can be installed to discover devices and networks anywhere from a single meeting room up to hundreds of buildings on a global basis. Bastille provides continuous RF monitoring and protection for an organization’s most valuable assets.