Given the huge array of devices that use Bluetooth – everything from speakers to smartwatches – it’s no surprise it’s a favourite target of hackers. Security researchers have found dozens of Bluetooth weaknesses in the last few years, including KNOB and BlueBourne. However, a new vulnerability discovered last week could cause chaos for the medical device industry.
Researchers have uncovered a collection of 12 bugs labelled SweynTooth, which can be used to launch attacks and crash devices including pacemakers, blood glucose monitors and more. To make matters worse, there’s no single patch to fix the issue. Manufacturers will need to individually test each product, determine which attacks might be feasible using SweynTooth and apply the correct patches.
Unfortunately, SweynTooth will not be the last such incident MedTech manufacturers encounter this year. As devices become more widespread and meet more patient needs, cyber-security is only going to become more of a headache. In most cases, it will be possible to issue a patch and ensure that patients are kept safe – a task that is more onerous for device manufacturers than other industries.
While many firms decide to forgo patching – Microsoft even revealed most of its customers are breached via vulnerabilities that had patches released years ago – this simply isn’t an option for medical device manufacturers. The reputational damage of finding out that a failure to patch resulted in a customer having their pacemaker hacked would be monumental.
Yet simply issuing a patch won’t always be possible. As illustrated by the recent spate of problems caused by Microsoft’s decision to end updates and support for Windows 7, sometimes there will be circumstances outside of a manufacturer’s control which means vulnerabilities could be discovered for which no patch is available.
When it comes to consumer goods such as speakers, manufacturers have the option to simply ‘brick’ the device and ensure hackers can’t use it as an attack vector. But that isn’t the case when it comes to life-saving technology and the only solution is to recall and replace a device.
Considered in this light it’s unsurprising that, of the 2,841 medical device recalls issued in 2019, the number one reason cited was software issues. It’s impossible to design a hackproof system and even if manufacturers are diligent when it comes to issuing patches, the fact is that some recalls will inevitably occur. Executives need to make sure they understand the risks and have a strong recall strategy in place so that when the worst happens, they are prepared. Having the right preventative measures in place can stop a relatively small issue from turning into a much bigger headache.