Vulnerability Management, Risk Assessments/Management

BrakTooth vulnerabilities pose DoS risk to medical devices, HHS warns

Staff at the University Hospital Monklands monitor a COVID-positive patient on the ICU ward on Feb. 5, 2021, in Airdrie, Scotland. (Photo by Jeff J Mitchell/Getty Images)

Dozens of medical device models are impacted by BrakTooth vulnerabilities, a group of security flaws in commercial Bluetooth Classic (BR/EDR) stacks used in System-on-Chips (SoC), according to a recent analyst note from the Department of Health and Human Services Cybersecurity Program (HC3).

An exploit could result in adverse consequences in the health care sector, from a patient data breach to a system shutdown that could prevent a patient from receiving treatment. Researchers believe the vulnerabilities affect millions of devices globally.

However, the BrakTooth vulnerability is based on implementations of the Bluetooth Classic protocol, therefore "the threat actor must be within the radio range of the target to execute the attack.”

BrakTooth was discovered by Singapore University of Technology and Design’s Automated Systems Security (ASSET) Research Group and was first disclosed on Aug. 31. Braktooth leverages the BR/EDR protocol used by millions of Bluetooth-enabled devices manufactured by Intel, Qualcomm, Texas Instruments, Infineon, Zhuhai Jieli Technology, and Silicon Labs. 

HC3 warns that providers should heed the mitigation strategies as Bluetooth devices are critical to a number of health care functions and tampering with the device could result in critical failure. The family of vulnerabilities are found in Bluetooth stacks implemented on SoC circuits. As the Bluetooth stack is often shared across a number of products, there may be other devices affected by the flaws.

The chip in question is ESP32, developed by Espressif Systems. It’s small in size, but packs a “powerful punch” with low power consumption and low cost, which makes it ideal for a number of IoT applications in industrial equipment and in medical devices.

As the Bluetooth Classic is broadly used in those sectors, there’s a high chance that some medical devices could be affected by the vulnerabilities. In particular, ESP32 is used in a number of health care monitoring systems, such as the hardware components. The chip is also commonly used in heartbeat, body temperature, room temperature, CO, and CO2 sensors.

The flaw also exists in Intel and Qualcomm WCN3990 SoC devices operating on the AX200 SoC. When the specific devices send a malformed packet, a DoS response is triggered. The impacted devices include certain laptops and desktops from Dell and Microsoft Surface.

The HC3 advisory contains a list of the known device vendors affected by BrakTooth, as well as the patch status. The researchers found more than 1,400 products impacted by the flaws.

“To exploit the vulnerability, a threat actor will need an ESP32 development kit, a custom Link Manager Protocol (LMP) firmware, and a computer to run the proof-of-concept tool. The vulnerabilities in the BrakTooth collection target the LMP and baseband layers,” according to the advisory.

Researchers stress that Braktooth risks range from denial-of-service that can crash the device firmware, as well as a deadlock condition that completely shuts down Bluetooth communication.

The risks have been assigned 20 identifiers, but others are currently under review. The alert shows the crashing, deadlock, and arbitrary code risk are tied to 16 flaws, including a truncated SCO link request, duplicated IOCAP Feature Response Flooding, and LMP Auto Rate Overflow, among others.

A successful exploit of any of the identified flaws would enable a remote hacker to launch multiple attacks and spur firmware crashes. HC3 warns that an attack like this in health care could result in any number of negative impacts.

A previous advisory from the Singapore Health Sciences Authority warns of the possible effect on medical devices leveraging certain Bluetooth Link Manager Protocols. But the findings are still under observation, and HC3 plans to monitor for future resorts and overall impact.

Fortunately, there have been no public exploits of the flaws. Providers should contact I-SAC or ISAOs for support responding to the flaws.

Providers are being urged to review the analyst note to assess the possible impact within their environment, as well as to verify the patch status and mitigation measures. When a patch is not available, the security leader should monitor the device for anomalous behavior and work with the manufacturer on the most effective compensating controls to prevent an exploit.

“A risk assessment should be conducted to efficiently assess BrakTooth’s risk to users or day-to-day operations,” according to HC3. “With the potential magnitude of this attack vector, enhanced physical security could be an interim measure to reduce the likelihood of an attack while affected devices are mitigated.”

Braktooth bears hallmarks to a set of vulnerabilities, dubbed SweynTooth, found in medical devices that rely on Bluetooth Low Energy (BLE) wireless communication tech found in products designed by several microchip manufacturers, including Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics, and Telink Semiconductor.

Some of those manufacturers are also listed in the HC3 BrakTooth advisory. In March 2020, the Food and Drug Administration warned an exploit of the flaws could enable an attacker to remotely crash a device or stop its function. The exploit could also give access to functions typically only available to authorized users. The primary concern was that some of the impacted devices were implanted or worn by patients, such as insulin pumps or pacemakers.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.