New Vulnerabilities Recently Discovered in Bluetooth ® Paring Specifications
Hospitals and other providers rely heavily on Bluetooth® connections for not only the ubiquitous phone headsets and keyboard, but Bluetooth® is a major technology supporting connected medical devices. Bluetooth® Low Energy also supports location tracking with much higher accuracy than the traditional Radio Frequency IDentication (RFID).
Researchers at the Israel Institute of Technology recently identified two security vulnerabilities that may be present within the healthcare community. The two features, Secure Simple Pairing and LE Secure Connections, permit an adversary in close proximity to perform a man-in-the-middle attack. This attack could result in the total compromise of the devices. The root cause of the vulnerability is that the Bluetooth® specification recommends, but not require, a stronger encryption key validation step.
It is important to recognize that not every manufacturer or device is vulnerable – only those that were designed bypassing the public key validation described here: Missing Required Cryptographic Step – CVE-2018-5383
A Solution Is Coming, But Only for Some Products
As a result of the discovery, the Bluetooth® specification has now been updated to require products to validate the public encryption keys. It will take some time, years perhaps, for all product manufacturers to update their products to comply with the updated specifications.
The challenge of closing vulnerabilities with legacy devices is much harder. Manufacturers of Bluetooth® products will need to develop and distribute software patches, perhaps as firmware, through normal distribution channels. We must recognize that certain devices may not be capable of patching and those devices will always remain vulnerable. For these devices, the limited options to implement compensating controls may impact future operations and budgets.
Higher Risk Scenarios
The key risk factor is proximity of an attacker to a vulnerable device. The following scenarios are more likely to be higher risk for healthcare providers and are preliminary ranked:
- Medical Devices: Because of the potential for significant adverse impact to patient safety and the close proximities in hospitals, medical devices are likely the top concern for providers. We can expect some manufacturers to start releasing patches that address the vulnerabilities, but we should anticipate some devices have been designed without an update capability; therefore, this risk will persist throughout the lifecycle.
- Computer and Tablet Headsets/Keyboards/Mice: As tablets proliferate, the use of Bluetooth® keyboards, mice, and headsets will also increase. As with medical devices, the proximity to uncontrolled areas may permit an attacker access to these systems.
- Bluetooth® Low Energy (BLE) tracking: Some providers are adopting BLE technology to track people and equipment because the lifecycle cost and increased accuracy is desirable. These BLE devices are likely to share a hospital’s IT network, therefore it may be possible to directly attack the core of the hospital through a Bluetooth® host.
- Cell Phones and Headset: Because an attacker must remain close (approximately 30 feet) to the intended target, the challenge with conducting a successful attack is diminished by movement. The likely locations for a successful attack are when staff are near others at a conference or in an airplane or airport.
- Vehicles-Phone: The risk to move vehicles will be limited based on mobility, but should not be discounted entirely. Many vehicles require the public key validation through an affirmative confirmation step before pairing with a phone, so the residual risk is likely low.
Recommended Risk Mitigation Activities
As with all new vulnerabilities, organizations need to update their risk analysis. The above five likely scenarios should be added to the risk register and then ranked based on the use and exposure to potential adverse actors.
The first step will be to instruct procurement to stop procuring devices with these vulnerabilities. It may be necessary to add a qualifying step and have the suppliers to certify that CVE-2018-5383 – Missing Required Cryptographic Step – has been mitigated.
For legacy equipment, providers also need to monitor the hardware manufacturers for future firmware and software updates. The primary area of focus will be with the high-likelihood/high-probability conditions we find in medical devices. We collectively can be proactive and start asking each manufacturer if they are vulnerable to this error and what steps they are they taking to fix the legacy devices. The more organizations that are demanding updates, the more pressure the device manufacturers will have to release fixes.
The key lesson is that providers should continually monitor their external and internal environments for changes in vulnerabilities and threats, then update their risk analysis to reflect the adjusted risk profiles. Contact us if you need help doing this.