Singapore: Cybersecurity Advice Vulnerabilities Affecting Medical Devices That Use Classic Bluetooth

The Health Sciences Authority (HSA) has shared their findings on a set of cybersecurity vulnerabilities known as "BrakTooth" that was recently uncovered. Various IoT devices, including medical devices that use specific Bluetooth Link Manager Protocols, are vulnerable to these flaws. At least ten major brands' Bluetooth Classic chips are reported to be affected by the BrakTooth vulnerabilities as of today.

Risk of Cybersecurity Vulnerabilities (BrakTooth)

Medical devices exposed to BrakTooth allowed an attacker within radio range to cause deadlocks, crashes, or the execution of arbitrary code, resulting in the failure of crucial device functions. Security patches issued by the individual Bluetooth chip developers will have to be applied to the affected devices in order to resolve these vulnerabilities.

Industry stakeholders can refer to below link for detailed information, including the method to identify if your medical devices are affected by the vulnerabilities:

• SingCERT alert (https://www.csa.gov.sg/singcert/Alerts/al-2021-051)

• SUTD publication (https://asset-group.github.io/disclosures/braktooth/)

Recommendations for Industry Stakeholders

HSA shared a few points on how stakeholders can address these vulnerabilities, as followed:

• Identify the affected medical devices by referring to the SingCERT Alert and SUTD publication

• Report the identified affected medical devices to HSA at HSA_MD_INFO@hsa.gov.sg

• Perform a risk assessment of the vulnerabilities and the impact on the medical devices with reference to their intended use

• Develop risk mitigation plans, including interim work-around (e.g. segregation controls) to manage the risk until they can be patched

• Ensure that the necessary security patches are rolled out to all affected devices locally in a timely manner

• Communicate with the healthcare institutions and the end users recommend necessary actions to reduce the risk and potential harm to the patients and users.

Sources:

CYBERSECURITY VULNERABILITIES (BRAKTOOTH) AFFECTING MEDICAL DEVICES UTILISING BLUETOOTH CLASSIC

https://www.csa.gov.sg/singcert/Alerts/al-2021-051

https://asset-group.github.io/disclosures/braktooth/

Contact us at info@arqon.com for more info