Are Bluetooth Medical Devices Dangerous?

Do not act on this post without discussing it with your physician or healthcare professional. I have some thoughts you and your physician may want to consider, but this is not the place for health advice. Make health decisions by consulting with physicians and health professionals, not software engineers

Let me say the worst out front, hackers exploiting weaknesses in Bluetooth-enabled electronic medical devices could kill their victims. However, given the currently known vulnerabilities, the feat would be physically difficult, require a high level of skill, and be unreliable as an assassination method. More likely, these devices could be the basis for threats and extortion similar to ransomware.

That being said, I don’t think anyone should feel immediately threatened by Bluetooth medical devices. Some recognized Bluetooth vulnerabilities have troubling potential, but only potential. Researchers have found vulnerabilities that are theoretically exploitable, but no exploits have been seen. In the meantime, engineers are scrambling to patch the weak spots and the engineers have a good chance to beat the criminals.

Bluetooth Technology

Bluetooth is a technology for connecting computer peripherals wirelessly. It is intentionally designed to work only at short distances; thirty feet is the designated limit for reliable operation, although the functional range can be broader. Unlike Wi-Fi or cellular signals, Bluetooth is not good at penetrating walls and other barriers.

I use Bluetooth headphones, mice, styluses, and keyboards all the time. Good riddance to pesky cables and cords. But Bluetooth is not always secure. For example, the National Security Agency bans Bluetooth cellphone headphones for discussing classified information. The Cayla doll of a few Christmases ago had some disturbing security flaws— not all due to Bluetooth, but Bluetooth was a factor. See Checklist to Avoid the Next Cayla Doll for some advice on using Bluetooth in general. I wrote some rules for using Bluetooth safely a few years ago that are still good. Seven Rules for Bluetooth at Starbucks.

Like many computing standards, Bluetooth is designed to work in many different situations by using some features in one implementation but not in others. For example, one of the most vulnerable— and annoying— aspects of Bluetooth usage is pairing, the process of connecting two Bluetooth devices. The standard document lists several different ways that pairing can work. The most popular, called “Just works,” freely connects any device to any other: easy but totally insecure. Most people don’t really care if an intruder overhears music from their phone and prefer the ease of “Just works” pairing, but the NSA takes issue with eavesdropping on classified info, hence the banned headphones.

Other pairing methods require exchange of passwords and other codes. They are a hassle, but more secure and therefore sometimes necessary. For example, Bluetooth keyboards often use more secure pairing because most people would rather that the stranger at the next table at Starbucks not be able to type commands into their laptop. The manufacturers of these devices have to balance convenience and ease of use with security. I have to say, for a product manager whose salary depends on producing easily sold products, choosing ease-of-use is tempting. Security is often said to drive away customers.

Bluetooth Medical Device Vulnerabilities

Bluetooth is great for users of medical devices like implanted pacemakers and defibrillators, insulin pumps, continuous blood sugar monitors, and other life-saving gadgets. Leads that connect internal devices to external controls are open wounds that invite infection and require constant effort to keep sanitary. Connecting an external device to a controller with physical cables is a nuisance. Mouse cables are annoying, cables that snake through clothing are worse. Bluetooth wireless connections eliminate many of these issues.

A security group in Singapore has published what are called the SweynTooth vulnerabilities, a list of known flaws in Bluetooth implementations that could compromise a number of Internet of Things, Smart-home, wearable, and other gadgets including medical devices. Details here. I’ve examined these vulnerabilities and divide them into three groups:

  • Device crashes
  • Denial of Service issues— overwhelming the device by bombarding it with unwanted messages
  • Device takeovers

The first two groups of vulnerabilities lead to a crash or throwing the device into an overwhelmed state in which it effectively stops working. The device has to be restarted, but it will most likely return to normal operation after reboot. These issues are annoyances, perhaps extreme annoyances, but I find it hard to imagine they are life threatening. Most of the SweynTooth vulnerabilities fall into this class.

One SweynTooth vulnerability has an extremely disturbing outcome: device takeover. In this scenario, a criminal takes control of the medical device. If the device is a defibrillator, the criminal could repeatedly defibrillate a normally functioning heart. Death is a reasonable expectation. A compromised pacemaker could slow the victim’s heart rate to the point of brain death and organ failure, or accelerate the rate and cause an  arrhythmia. A compromised insulin pump could overdose a victim with insulin. In each case, death is possible.

Outcomes

In the face of these dangers, how likely are these outcomes? In my judgement, possible but improbable.

First, Bluetooth has limited range. The attacker must be close to the victim. In most cases, in sight of the victim. Bluetooth can penetrate walls and other barriers, but not well. This is excellent news for potential victims because criminals have to identify their targets and get close to attack. This is not good, but much better than situations where the attacker can anonymously scan the network for potential victims and attack from the other side of the planet. An operational non-medical suggestion: if you use a vulnerable device, avoid broadcasting the fact to those around you.

Second, these vulnerabilities are not simple to exploit. An attacker has to be familiar with both Bluetooth technology and the implementation of the medical device in order to launch an attack. This eliminates casual criminals and script kiddies, but leaves the door open for military or government operations.

The upshot is that only significant targets are likely to become victims. Who is a target? Well, if you have upset North Korea and have a vulnerable embedded defibrillator, conceivably, North Korean cybercommand could send a highly trained operative to get within Bluetooth range of you and flub your defibrillator. Most people don’t fall in that class.

More likely, a criminal group might hack into a medical device supplier’s records and get a list of users of vulnerable devices, get within Bluetooth range and harass a few users, then demand ransom from the supplier. Might work, but regular ransomware is orders of magnitude less work and risk for the criminals.

Final Words

Given these circumstances, what would I do? Discuss it with my doctors. Persuade them to demand that device suppliers address the SweynTooth vulnerabilities. I would tell my doctor that I would rather avoid using a vulnerable device, but I would use one if the medical advantages justify the risk. Nevertheless, those attorneys who advertise on television will reap the benefits if victims start keeling over.

Bluetooth Is Not Getting Safer

Over a year ago I published Seven Rules for Bluetooth at Starbucks. Recently, Armis, a security firm specializing in the Internet of Things (IoT), announced a new set of Bluetooth vulnerabilities they call BlueBorne. If you read “Seven Rules”, you have a good idea of what BlueBorne is like: hackers can get to your devices through Bluetooth. They can get to you without your knowledge. Windows, Android, Apple, and Linux Bluetooth installations are all vulnerable. Most of the flaws have been patched, but new ones are almost certain to be discovered.

Some of the flaws documented in BlueBorne are nasty: your device can be taken over silently from other compromised devices. Using BlueBorne vulnerabilities, hackers do not have to connect directly to your system. Someone walks within Bluetooth range with a hacked smartphone and you are silently infected. Ugly. Corporate IT should be shaking in their boots, and ordinary users have good reason to be afraid.

What should I do?

A few simple things make you much safer.

  • Be aware of your surroundings. Bluetooth normally has a range of 30 feet. More with special equipment, but whenever you don’t know who might be snooping within a 30-foot radius sphere, you are vulnerable. That’s half way to a major league pitcher’s mound and roughly three floors above and below.
  • Keep your systems patched. The problems Armis has documented in BlueBorne have been patched. Don’t give the bad guys a free ticket by leaving known soft spots unprotected. Make them discover their own holes. By patching regularly and quickly, you cut out the stupid and uninformed hackers. Smart hackers are rare.
  • Turn Bluetooth off when you are not using it or you enter a danger zone. When Bluetooth is turned off, you are safe from Bluetooth attacks, although you may still be affected by malware placed on your device while Bluetooth was turned on.

The seven rules for Bluetooth I published a year ago are still valid. Follow them.

Seven basic rules for Bluetooth

  1. Avoid high-stakes private activities, like banking transactions, when using Bluetooth in public.
  2. If you are not using Bluetooth, turn it off!
  3. Assume your Bluetooth connection is insecure unless you are positive it is encrypted and secured.
  4. Be aware of your surroundings, especially when pairing. Assume that low security Bluetooth transmissions can be snooped and intercepted from 30 feet in any direction, further with directional antennas. Beware of public areas and multi-dwelling buildings.
  5. Delete pairings you are not using. They are attack opportunities.
  6. Turn discoverability off when you are not intentionally pairing.
  7. If Internet traffic passes through a Bluetooth connection, your firewall may not monitor it. Check your firewall settings.

Checklist to Avoid the Next Cayla Doll

The Cayla doll story is frightening. The unintended consequences of a clever child’s toy amount to an invasion of  child privacy. I expect more such stories. Devices now in homes don’t just offer entertainment and convenience. They can also open doors to corporate and criminal intrusion. TV’s, refrigerators, along with our phones and laptops can all have cameras and microphones. Without your permission, someone could control these from outside your home.

Threat assessment

Security professionals follow a procedure called “threat assessment” to spot potential dangers. Threat assessment is a series of questions. Their answers yield a clear picture of threats. The questions are common sense, but you may not always think to ask them.

I recommend that before you install any device in your home or business, especially those connected to the internet, you go through a threat assessment. You may already do so without realizing it. Think through each of the five questions below. These questions apply to almost all computer security. The next five apply to non-computer devices connected to the network.

The basic checklist

  • What am I protecting? Most often, it is privacy of your family or business. Cayla can listen to you and your child and transmit what it hears to an unknown intruder or a cloud data business. The business or an intruder can speak to your child without your knowledge. Your television may record and analyze the conversations in your living room. Other devices may have similar abilities. Most often, you are protecting yourself from outside interference in your life.
  • Where does the threat come from? The source could be a business putting together a portfolio on you that they will use to sell things to you. Less likely, but still possible, the source may be a sinister criminal planning some kind of assault. A government agency, for good or bad, could use the device to collect information on you.
  • How likely is the threat? You probably know that data organizations collect data on you. And you have noticed that they have guessed whether you prefer heavy equipment parts or needlework supplies. On the other hand, the FBI probably hasn’t picked your refrigerator to monitor.
  • How great is the danger? Ads targeted to your online search profile may annoy you, but the danger to your person is slight. But a criminal stalker monitoring your phone conversations through your Bluetooth headset may be dangerous.
  • What are you willing to sacrifice for protection? Threats can be stopped, but is the effort is worth the benefit? All direct cyberthreats can be stopped or severely curtailed by going cash only and abstaining from the use of all electronic devices. Does the threat justify the sacrifice?

The Internet of Things

The threats here are from the Internet of Things (IoT), devices connected to the network but not usually called computers. The IoT is uniquely dangerous in two ways. First, IoT devices sneak in on us. We see them, but don’t think of them as computers connected to the internet. Even though many people have an idea of the threats involved in network computing, the IoT slips beneath their radar. Second, the designers of IoT devices often have no concept of good security practices and the devices are often shockingly vulnerable.

Questions for IoT security

  1. Find out how it connects to the network. Hard wiring, Wi-Fi, Bluetooth, and cellular are the main ways.
  2. Can you unplug it from the network? How easily? The first step when you suspect some kind of intrusion is to disconnect from the network. Make sure you can. Many IoT devices can’t be switched off like a laptop or desktop. If hackers remotely unlock your front door, you must stop them immediately. Don’t put yourself in a position where you must call a locksmith to install a new lock to keep your door closed.
  3. Are logs kept of who tinkers with the device? When the tinkering happened? The location of the tinkerer?
  4. Does the device collect data? If so, what is it and who has access to it? Can you control what is collected and who has access?
  5. Can the device firmware be updated with security fixes? Can it be done automatically?

These questions may not be easy to find answers for. Marketing literature is often sketchy or even deceptive on security. Engineering documents are better, but hard or impossible to get. However, even partial answers help evaluate the threat and underpin informed choices.

Cayla, A Living Doll from the Twilight Zone

Cayla, a computer driven talking doll, uses technology similar to that behind Amazon’s Alexa, Microsoft’s Cortana, Apple’s Siri, and Google Home to construct a toy that simulates a living friend for a child. Unfortunately, some believe that Cayla may be the embodiment of the murderous Talky Tina of the fifty-year-old episode of The Twilight Zone, The Living Doll.

In Germany, Cayla has been declared a banned surveillance device. Selling and even possessing a Cayla in Germany is illegal. The doll’s communication capability must be permanently disabled to make it legal in Germany. Also, several groups in the US have launched an action to have Cayla sanctioned under the Children’s Online Privacy Protection Act (COPPA).

I’m not here to advocate that these government and legal actions are justified or not justified, that’s for individuals to decide for themselves, but I think anyone who is concerned about cybersecurity should understand some of the issues involved. We are likely to see many more products like Cayla appearing on the market. Some will be for children, others for teens, and many aimed at adults. Some will be great, some exploitative, and some will, no doubt, be just plain shoddy.

So let’s take an engineer’s look at Cayla. The complaint document sent to the Federal Trade Commission is against Genesis Toys and Nuance Communications and was lodged by the Electronic Privacy Information Center and Consumers Union, among others. Genesis Toys is a Hong Kong corporation that developed the doll. Nuance Communications is a US corporation that retains and processes data collected by the Cayla doll. The exact relationship between Genesis and Nuance is not clear to me, but they are two separate corporations.

Cayla’s architecture is fairly simple. The doll itself is the equivalent of a Bluetooth headset that acts as a microphone and speaker for an app that runs on a smartphone, like an iPhone or an Android. The app communicates with a cloud service that supplies computing and storage resources that power Cayla.

This architecture has issues. Bluetooth headsets are insecure. I mentioned in a blog a few months ago that the NSA has banned commercial Bluetooth headsets for classified or confidential information. Here. A criminal hacker would not have much trouble listening in on a child’s conversations with Cayla and interjecting their own questions and suggestions. Imagine a pedophile speaking through Cayla suggesting to a three-year-old that they meet out in the street. The Bluetooth standard says the protocol is good to ten meters (30 feet) but special equipment can extend the range substantially. Also, Bluetooth signals, essentially the same as Wi-Fi, penetrate walls.

Even in isolated spots where Bluetooth intrusion may not be a consideration, Cayla has vulnerabilities. The FTC complaint points out that Cayla is programmed to promote certain commercial products, such as movies. In addition, the information that Cayla collects, like names, locations, favorite foods and toys, etc., is stored in the cloud. The Genesis Toys privacy policy states that this information is kept and analyzed by Nuance Communications and may be shared. I should note that while I was writing this blog, the posted Genesis privacy statement was changed. You may want to check it for yourself.

Cayla simulates conversation, answers and asks questions, and can, or potentially can, do all of the things Alexa, Cortana, Siri, and Google Home can do: order pizza, open the front door, adjust the thermostat, call for an Uber. The list gets longer every day. Cayla can’t do all these things now, but the technology she is built upon can. Cayla’s limits are set by the discretion of Genesis Toys and Nuance Communications. Parents may want to be certain that controls are in place that will prevent their three-year-old from ordering a dozen pizzas or their ten-year-old embarking on a trip to Aruba. I don’t suggest that Cayla is likely today to cause these things to happen. Rather, parents should be aware that these new products make such mishaps possible.

Like the living doll on Twilight Zone, Cayla is a new technology with unexpected powers and these powers can harm us if they are not used properly.

In another blog, I plan to discuss the steps I would take when deciding whether I want a product like Cayla in my home. These products have amazing potential for improving our lives and could be more fun than a barrel of monkeys for our children. But they can also be dangerous. You should choose with knowledge and good judgement.