‘SweynTooth’ Vulnerabilities May Affect Devices Using Bluetooth Low Energy, Advises FDA

Posted March 11, 2020

A group of cybersecurity vulnerabilities known as SweynTooth have the potential to affect certain medical devices, according to a safety communication from the Food and Drug Administration (FDA). The family of 12 vulnerabilities are associated with Bluetooth Low Energy (BLE)—a wireless communication technology that “allows two devices to ‘pair’ and exchange information to perform their intended functions while preserving battery life,” wrote the agency.

The FDA said it has no knowledge of confirmed adverse events caused by the SweynTooth bugs. The vulnerabilities fall into three categories based on the manner in which they can affect medical devices:

  • Crash. Device may stop working or communicating.
  • Deadlock. Device may freeze and cease functioning properly.
  • Bypass security. Allowing an unauthorized user to perform device functions typically available to authorized users only.

The safety communication includes several recommendations for manufacturers, healthcare providers, and patients/caregivers. For manufacturers that produce devices that use BLE, the FDA recommended evaluating how the devices may be affected by SweynTooth. This recommendation was extended to include “any device that communicates with your device” using BLE.

The agency also advised manufacturers to conduct a risk assessment, consistent with its cybersecurity postmarket guidance, “to evaluate the impact of these vulnerabilities to affected devices and develop risk mitigation plans.”

If a device is found to be vulnerable to SweynTooth, manufacturers should contact the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency at ics-cert@hq.dhs.gov, in order to contribute to the expanding body of knowledge regarding the vulnerabilities.

Among recommendations for providers, the FDA encouraged working with manufacturers to develop mitigation strategies for potentially affected devices that are currently in use in healthcare facilities. It also advised health professionals to “remind patients who use medical devices to seek medical help right away if they think operation or function of their medical device changed unexpectedly.”

Similar guidance was provided to patients/caregivers. The FDA recommended that they speak with their healthcare provider to determine whether their devices may be affected by SweynTooth and if further action is necessary. Both health professionals and patients also were encouraged to report observed or suspected device-related problems to the FDA via its MedWatch Voluntary Reporting Form.