SweynTooth Vulnerabilities SECURITY BULLETIN

March 4, 2020

VULNERABILITY SUMMARY

Background
Medtronic is aware of and is monitoring a series of Bluetooth® Low Energy (BLE) cybersecurity vulnerabilities, collectively known as “SweynTooth” that were publicly disclosed in mid-February by security researchers at Singapore University of Technology and Design. 

These vulnerabilities exist in some pre-made hardware components in products across a range of industries and have the potential to interrupt BLE communication service.

To date, no cyberattack, data breach, or patient harm involving a Medtronic product has been observed or associated with this vulnerability.

Medtronic Response
Our technical teams have assessed the situation to understand any potential impact to Medtronic products.

To date, our analysis has confirmed these hardware components are present in some Medtronic products in both our Cardiac & Vascular and Diabetes product lines. However, our assessment indicates the impact is limited to potential disruption of communication function and does not impact therapy.

Compensating Controls and Recommended Actions

Cardiac & Vascular Products:

  • Exploitation of the SweynTooth vulnerabilities in Medtronic Bluetooth-enabled pacemakers and implanted cardioverter defibrillators (ICDs) does not impact therapy delivery due to the product design. Medtronic’s pacemakers and ICDs using BLE communication protocols have security protections that mitigate or substantially reduce any impact associated with BLE vulnerabilities, including those identified in the SweynTooth report, which we confirmed through testing. For these reasons, we are not currently planning any updates.
  • The impact of the SweynTooth vulnerabilities is limited to a potential disruption of BLE communication between the pacemaker/ICD and mobile device or BLE monitor. Normal communication can be re-established between a device and a programmer using one of several methods, including using the programmer, application or the programming wand. Users should continue to follow applicable instructions for BLE use and troubleshooting.
  • Although the Bluetooth remote monitoring functions in these devices can be disabled by a clinician, Medtronic recommends that patients and physicians continue to use devices as intended, including remote monitoring, as the benefits of device therapy outweigh the potential risk associated with these vulnerabilities.

Diabetes Products:

  • Pre-made hardware components containing the SweynTooth vulnerabilities are present in some Diabetes products currently on the market.  A product list is included below. No insulin pumps nor the continuous glucose monitoring (CGM) transmitters that communicate to pumps contain the affected hardware components.
  • Exploitation of the SweynTooth vulnerabilities does not impact therapy. The impact of the SweynTooth vulnerabilities is limited to a potential disruption of BLE communication between the device and the mobile device.
  • Diabetes products using BLE communication protocols have security protections that are designed to mitigate or substantially reduce any impact associated with BLE vulnerabilities, including those identified in the SweynTooth report, which we confirmed through testing.
  • Medtronic is actively following the guidance provided in the FDA communication for manufacturers and will continue to assess new information concerning the SweynTooth cybersecurity vulnerability. Medtronic will continue to follow standard quality practices to evaluate how devices using BLE technology are potentially impacted by these vulnerabilities, complete all testing and determine appropriate next steps. Medtronic recommends that patients and physicians continue to use devices as intended, as the benefits of device therapy outweigh the potential risk associated with these vulnerabilities.

At Medtronic, we take cybersecurity seriously and have teams actively engaged in these matters, including maintaining contact with our suppliers for updates. We monitor our products and systems to assess any impact associated with cybersecurity issues and take appropriate actions as circumstances dictate.

Additionally, Medtronic will continue to follow established coordinated disclosure processes for any significant security vulnerabilities associated with our products or any updates associated with these vulnerabilities.

Cardiac & Vascular Products with Affected Hardware Components:

  • Azure™ portfolio of Pacemakers
  • Percepta™, Serena™, Solera™ portfolio of Cardiac Resynchronization Therapy Pacemakers (CRT-P)
  • Cobalt™ and Crome™ portfolio of implantable cardioverter-defibrillators (ICD) and cardiac resynchronization therapy-defibrillators (CRT-D) (CE Mark only, not approved in US)

Diabetes Products with Affected Hardware Components:

  • Guardian™ Connect glucose sensor transmitter (part of the Guardian™ Connect stand-alone CGM system)
  • Envision™ Pro glucose recorder (part of the Envision™ Pro professional CGM system)
  • MiniMed™ Connect uploader (a secondary display accessory for the MiniMed 530G or the MiniMed Paradigm® REAL-Time Revel™ sensor-augmented pump system)

No insulin pumps nor the continuous glucose monitoring (CGM) transmitters that communicate to pumps contain the affected hardware components.

For More Information

Customers needing additional information should contact security@medtronic.com.

The Bluetooth® word mark and logos are registered trademarks owned by Bluetooth SIG, Inc. and any use of such marks by Medtronic is under license.