The U.S. Food and Drug Administration (FDA) is informing patients, health care providers, and manufacturers about the SweynTooth family of cybersecurity vulnerabilities, which may introduce risks for certain medical devices. The FDA is not aware of any confirmed adverse events related to these vulnerabilities. Software to exploit these vulnerabilities in certain situations is already publicly available.
Security researchers have identified 12 vulnerabilities, named “SweynTooth,” associated with a wireless communication technology known as Bluetooth Low Energy (BLE). BLE allows two devices to “pair” and exchange information to perform their intended functions while preserving battery life.
The potential impacts of the SweynTooth vulnerabilities fall into three categories. An unauthorized user can wirelessly exploit these vulnerabilities to:
- Crash the device. The device may stop communicating or stop working.
- Deadlock the device. The device may freeze and stop working correctly.
- Bypass security to access device functions normally available only to an authorized user.
The FDA is currently aware of several system-on-a-chip (SoC) manufacturers that are affected by these vulnerabilities:
- Texas Instruments
- Dialog Semiconductors
- Telink Semiconductor
For more information about SweynTooth cybersecurity vulnerabilities, see:
- ICS-ALERT-20-063-01 SweynTooth Vulnerabilities - Department of Homeland Security Cybersecurity Infrastructure Security Advisory, March 3, 2020
Medical device manufacturers are already assessing which devices are affected by SweynTooth, evaluating the risk, and developing remediation actions.
Recommendations for Manufacturers
- If your device or any device that communicates with your device uses BLE technology, evaluate how it is impacted by these vulnerabilities.
- Conduct a risk assessment, as described in FDA’s cybersecurity postmarket guidance, to evaluate the impact of these vulnerabilities to affected devices and develop risk mitigation plans.
- Mitigations should include compensating controls while you are developing software patches.
- Work with health care providers, facilities, and patients to determine which medical devices are affected and to take actions to ensure that risks are reduced to acceptable levels.
- Where possible, monitor medical devices for any signs of unusual behavior. Communicate with your customers and the user community regarding your assessment and recommendations for risk mitigation strategies and any compensating controls, so that customers can make informed decisions about device use. Share your customer communications with an Information Sharing Analysis Organization (ISAO).
- Report medical devices you have identified as vulnerable to SweynTooth to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) at ICS-CERT@HQ.DHS.GOV, so that this information can be added to its evolving list of products.
Note about Premarket Review: In general, compensating controls and patches made to address the SweynTooth vulnerabilities are not likely to significantly affect the safety or effectiveness of the device and thus would not likely need FDA premarket review prior to implementation. If the changes to the device needed to address the vulnerabilities could significantly affect the safety or effectiveness of the device, however, premarket review is required. If you have questions about whether a device modification requires premarket review, you may email OPEQ_Cybersecurity@fda.hhs.gov for assistance.
For additional information on premarket submission and postmarket reporting expectations, see Cybersecurity Guidances on the FDA’s Cybersecurity page.
Recommendations for Health Care Providers and Facility Staff
- Work with device manufacturers to determine which medical devices in your facilities or in use by your patients could be affected by these vulnerabilities and develop risk mitigation plans.
- Advise patients who use affected medical devices with steps they can take to reduce risk.
- Remind patients who use medical devices to seek medical help right away if they think operation or function of their medical device changed unexpectedly.
- Where possible, monitor medical devices for any signs of unusual behavior.
Recommendations for Patients and Caregivers
- Talk to your health care provider to determine if your medical device may be affected or whether you should take any actions. Device manufacturers will be sharing more information as it becomes available.
- Seek medical help right away if you think your medical device is not working as expected.
The FDA is working closely with other federal agencies, manufacturers, and cybersecurity researchers to identify, communicate, and prevent adverse events related to the SweynTooth vulnerabilities.
The FDA will continue to assess new information concerning the SweynTooth vulnerabilities and will keep the public informed if significant new information becomes available.
Reporting Problems with Your Device
If you think you had a problem with your device or a device your patient uses, the FDA encourages you to report the problem through the MedWatch Voluntary Reporting Form.
Health care personnel employed by facilities that are subject to the FDA's user facility reporting requirements should follow the reporting procedures established by their facilities.
If you have questions, email the Division of Industry and Consumer Education (DICE) at DICE@FDA.HHS.GOV or call 800-638-2041 or 301-796-7100.