search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
MEDICAL, MILITARY & INDUSTRIAL Is your medical device vulnerable


to cybersecurity threats? The product development life cycle for wireless medical devices has always been extremely complex, and the growing cybersecurity threat landscape has raised the complexity further, says Brad Jolly, senior applications engineer, Keysight Technologies


Y


ou must now consider cybersecurity when you first architect and design the device. You must also consider it when you develop the device, including configuring the hardware, writing the firmware and software, and performing carefully documented verification and validation work to ensure safety and efficacy for patients and medical professionals.


In addition, you must consider cybersecurity when you specify the manufacturing and manufacturing test processes to ensure that cybersecurity threats do not burrow into your device on the factory floor.


What about cybersecurity for medical devices?


Although cybersecurity is becoming increasingly important, medical device cybersecurity is hardly a new topic. However, despite the numerous advances in combined hardware and software solutions for certain aspects of cybersecurity, the problem is far from solved, and medical device companies that incorporate the Bluetooth Low Energy (BLE) protocol into their devices must consider a whole new family of cybersecurity vulnerabilities.


SweynTooth


Many people are aware that the Bluetooth wireless communications protocol was named after the Danish king, Harald “Bluetooth” Gormsson. In the late 10th Century, King Harald was deposed by his son, Sweyn Forkbeard, and it is in Sweyn’s memory that a new category of cybersecurity vulnerabilities within certain versions of Bluetooth, known collectively as SweynTooth, is named. The SweynTooth vulnerabilities were uncovered by researchers from Singapore University of Technology and Design (SUTD) who were partially funded by Keysight and the SUTD team disclosed them in an article provocatively titled, Unleashing Mayhem over Bluetooth Low Energy.


According to the researchers, the SweynTooth vulnerabilities affect numerous categories of internet of things (IoT) devices.


34 JUNE 2023 | ELECTRONICS TODAY


This is not surprising, as many device manufacturers do not develop their own communications chipsets and firmware, but instead rely on a small number of module vendors. In addition to affecting medical devices, SweynTooth affects devices used in logistics, consumer electronics, smart home, wearables, and other IoT application areas. According to the SUTD team: The current practice is to leave the implementation tests to the Bluetooth certification process. This is with the mindset that once the design is sound, hardly anything can break in the implementation of the Bluetooth stack. Our findings expose some fundamental attack vectors against certified and recertified BLE Stacks which are supposed to be “safe” against such flaws. In addition to publishing the paper, the SUTD team reported the exposures to the Common Vulnerabilities and Exposures (CVE) database, which is currently hosted here and is presently undergoing a transition to a new site.


Response from vendors


The report from SUTD listed several vendors producing components and devices that contained the vulnerabilities, including many well-known companies. These companies, of course, took swift action to assess the extent of the vulnerabilities in their products and to address them appropriately. However, many products containing the vulnerabilities had already been shipped to customers, and


many of those customers are either unknown or untraceable. Therefore, many devices with SweynTooth vulnerabilities remain in use. Furthermore, subsequent research by the SUTD has discovered another set of vulnerabilities collectively known as Braktooth. The Braktooth vulnerabilities are estimated to affect more than one billion devices that have already been shipped to end customers.


Conclusion


Cybersecurity is a critically necessary aspect of the medical device product development cycle. SweynTooth is just one example of the kinds of vulnerabilities that can potentially disrupt countless lives, and BLE is not the only wireless protocol that is subject to cybersecurity vulnerabilities. To reduce risk and ensure efficacy, medical device manufacturers should make cybersecurity part of their risk register and quality management system (QMS) and ensure that they integrate continuous security validation into their software development pipelines. They should also use penetration testing tools, such as protocol fuzzing, and subscribe to a cybersecurity intelligence service to monitor and keep up to date with the latest attack methodologies.


Failure to properly address cybersecurity risk in a connected medical device could lead to government regulators pulling your authority to ship devices or even the potential for life-or-death consequences for patients.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46