[fusion_builder_container hundred_percent=”no” equal_height_columns=”no” menu_anchor=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=”” background_color=”” background_image=”” background_position=”center center” background_repeat=”no-repeat” fade=”no” background_parallax=”none” parallax_speed=”0.3″ video_mp4=”” video_webm=”” video_ogv=”” video_url=”” video_aspect_ratio=”16:9″ video_loop=”yes” video_mute=”yes” overlay_color=”” video_preview_image=”” border_size=”” border_color=”” border_style=”solid” padding_top=”” padding_bottom=”” padding_left=”” padding_right=””][fusion_builder_row][fusion_builder_column type=”1_1″ layout=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” border_position=”all” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding_top=”” padding_right=”” padding_bottom=”” padding_left=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” center_content=”no” last=”no” min_height=”” hover_type=”none” link=””][fusion_text columns=”” column_min_width=”” column_spacing=”” rule_style=”default” rule_size=”” rule_color=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=””]

New Vulnerabilities Recently Discovered in Bluetooth ® Paring Specifications

Vulnerability Overview

Hospitals and other providers rely heavily on Bluetooth® connections for not only the ubiquitous phone headsets and keyboard, but Bluetooth® is a major technology supporting connected medical devices. Bluetooth® Low Energy also supports location tracking with much higher accuracy than the traditional Radio Frequency IDentication (RFID).

Researchers at the Israel Institute of Technology recently identified two security vulnerabilities that may be present within the healthcare community. The two features, Secure Simple Pairing and LE Secure Connections, permit an adversary in close proximity to perform a man-in-the-middle attack. This attack could result in the total compromise of the devices. The root cause of the vulnerability is that the Bluetooth® specification recommends, but not require, a stronger encryption key validation step.

It is important to recognize that not every manufacturer or device is vulnerable – only those that were designed bypassing the public key validation described here: Missing Required Cryptographic Step – CVE-2018-5383

A Solution Is Coming, But Only for Some Products

As a result of the discovery, the Bluetooth® specification has now been updated to require products to validate the public encryption keys. It will take some time, years perhaps, for all product manufacturers to update their products to comply with the updated specifications.

The challenge of closing vulnerabilities with legacy devices is much harder. Manufacturers of Bluetooth® products will need to develop and distribute software patches, perhaps as firmware, through normal distribution channels. We must recognize that certain devices may not be capable of patching and those devices will always remain vulnerable. For these devices, the limited options to implement compensating controls may impact future operations and budgets.

Higher Risk Scenarios

The key risk factor is proximity of an attacker to a vulnerable device. The following scenarios are more likely to be higher risk for healthcare providers and are preliminary ranked:

Recommended Risk Mitigation Activities

As with all new vulnerabilities, organizations need to update their risk analysis. The above five likely scenarios should be added to the risk register and then ranked based on the use and exposure to potential adverse actors.

The first step will be to instruct procurement to stop procuring devices with these vulnerabilities. It may be necessary to add a qualifying step and have the suppliers to certify that CVE-2018-5383 – Missing Required Cryptographic Step – has been mitigated.

For legacy equipment, providers also need to monitor the hardware manufacturers for future firmware and software updates. The primary area of focus will be with the high-likelihood/high-probability conditions we find in medical devices. We collectively can be proactive and start asking each manufacturer if they are vulnerable to this error and what steps they are they taking to fix the legacy devices. The more organizations that are demanding updates, the more pressure the device manufacturers will have to release fixes.

Key Lesson

The key lesson is that providers should continually monitor their external and internal environments for changes in vulnerabilities and threats, then update their risk analysis to reflect the adjusted risk profiles. Contact us if you need help doing this.