The wireless technology does much to make our lives easier but also raises important privacy concerns

Hospital Room and Medical Devices / Faster and Longer-Range Bluetooth Will Soon Be Available—But Is That a Good Thing?
Image: Pixabay
December 01, 2016

Medical devices. Cars. Pregnancy tests. What do these have in common? They each use Bluetooth.

Yes, even pregnancy tests.

Faster Connectivity, Longer Distances

The tech community is eagerly awaiting the arrival of the newest version of the wireless technology, Bluetooth 5. PCWorld reports that this version will be a great improvement over the current version, Bluetooth 4.2, by "giving users faster connectivity among devices over longer distances."

Chuck Sabin is the director for business strategy at the Bluetooth-Special Interest Group, which sets Bluetooth's standards. According to Sabin, the new version will work at distances up to 120 meters (roughly 393 feet) in typical settings—four times the range of the current version. Bluetooth 5 will also be two times as fast, with data transfer rates of 2Mbps (megabits per second).

The first Bluetooth versions were used in audio equipment, headsets, and vehicles. Times have changed, however, and technology has changed with them. Bluetooth is now a central component in the so-called "Internet of Things," defined as "a network of everyday devices, appliances, and other objects equipped with computer chips and sensors that can collect and transmit data through the Internet." Bluetooth can now be used to connect and automate items most people would never have dreamed of, e.g. pregnancy tests.

This development undoubtedly makes life easier personally and professionally for countless people. But it also leaves us more vulnerable even as it helps us.

Bluetooth and Your Cell Phone

Bluetooth is found nearly everywhere these days. In fact, chances are that you have a Bluetooth device with you right now in your pocket, in your purse, or on your desk. Nearly every cell phone is now compatible with this wireless technology, and on the surface this feature would seem to help keep us safe, not put us in danger. If you connect your phone to a compatible headset using Bluetooth—a process known as pairing—you can make and receive calls without actually holding the phone. This is certainly much more convenient than having to hold a chunk of plastic to our heads for long periods of time, and when it comes to driving, it could seem to be almost a godsend. Bluetooth enables drivers to talk while keeping both hands on the wheel at the same time, reducing the risk of accidents and injuries.

So Bluetooth in mobile devices is convenient and can improve safety. What could be the downside?

60 Minutes describes a hacking demonstration that took place at an event known as Def Con, a conference for hackers. Adam Laurie used radio frequency information—Bluetooth—to hack into correspondent Sharyn Alfonsi's phone. He brushed by her in a hallway and, using a special hand-held device, transmitted a certain credential over to Alfonsi's phone. This credential not only made her phone trust Laurie's Bluetooth, it even made it dial his phone, enabling him to hear anything said in the room where Alfonsi's phone was at that moment.

And all it took was one physical touch.

This may not seem like a big deal at first, but the implications are highly significant for anyone working with private, sensitive, or confidential information. Doctors may discuss a particular patient's case in a hospital, completely unaware that the patient's former spouse has been stalking him or her and is listening in. Top company executives may get together for lunch and discuss upcoming products and strategies, not knowing that the competition is taking notes. Government officials may talk about foreign policy on the way to the parking lot, ignorant of the spy on the other end of the line.

Bluetooth in our cell phones may help us in many ways, but it may harm us in many others.

Wireless While You Work (Out)

It seems like there is a new fitness product on the market nearly every month, companies and consumers both hoping against hope that this will be the one that sticks and motivates people to get in shape. One of the most popular right now is the wearable fitness tracker.

Worn like a bracelet or a watch, the fitness tracker monitors attributes such as physical activity and heart rate. These devices usually use a technology known as Bluetooth Low Energy (BLE) to communicate with apps on mobile devices and transfer the data to them using signals. Unfortunately, fitness trackers are no more secure than cell phones, and the data they transmit are just as vulnerable.

Scott Lester is a senior researcher at Context Information Security. He described the dangers of Bluetooth fitness trackers to ComputerWeekly.

"Many people wearing fitness devices don't realise they are broadcasting constantly and that these broadcasts can often be attributed to a unique device," he said. "Using cheap hardware or a smartphone, it could be possible to identify and locate a particular device that belongs to a celebrity, politician or senior business executive within 100 metres [328 feet] in the open air. This information could be used for social engineering as part of a planned cyber attack or for physical crime by knowing people's movements."

The danger is so real that China has instituted a ban on wearables connected to the Internet for all members of its armed forces while on duty, writes the BBC.

According to Lester, while BLE is a powerful technology in and of itself, it also represents "yet another demonstration of the lack of thought that goes into security when companies are in a rush to get new technology products to market."

Smarter Cars, Smarter Thieves

Bluetooth's usefulness for hands-free calling while driving has already been noted. But there is another link between the technology and vehicles, one that integrates Bluetooth into the car itself.

Newer vehicles contain software that is compatible with Bluetooth, enabling drivers and passengers to pair car with phone. This means that drivers can bypass headsets completely when making or receiving calls. In combination with voice recognition technology, Bluetooth enables people to compose text messages or have them read out loud by their phone through the vehicle's speakers. Playlists on mobile apps such as iTunes and Pandora can be streamed to the car so that listeners can pick up where they left off at work or home.

But integrating computers into cars has also led auto thieves to up their game and become hackers. Kathleen Fisher, a project manager for the federal Defense Advanced Research Projects Agency, told NBC News about researchers at the University of California San Diego and the University of Washington hacking into vehicles and wresting away control of their electronics as far back as 2012.

"These attacks involved infecting the computers in the repair shop and then having that infection spread to the car through the diagnostic port, or hacking in through the Bluetooth system, or using the telematics unit that's normally used to provide roadside assistance," Fisher said.

If Bluetooth can be used to track phones and fitness trackers, why not vehicles? If it can cause one phone to dial another, what might it cause a two-ton car to do?

Code Blue for Medical Devices

Many people may be surprised to learn that numerous modern medical devices use Bluetooth. Glucose monitors, blood pressure equipment, blood sugar monitors, and pacemakers are all compatible with the technology, a fact that healthcare professionals often put to use in treating patients.

The Houston Chronicle lists numerous benefits to the integration of Bluetooth into medical devices. One is that it enables the devices to send all readings straight to a central computer or vital signs monitor, allowing healthcare professionals to focus on caring for patients rather than recording information as well as reducing the likelihood of human error when compiling such data. Other benefits may include automatically updating patient records so that the latest information is always available to the doctor, real-time monitoring of outpatient progress, and automatically adjusting a medication dosage when needed.

However, such features could be turned to nefarious uses, as Bloomberg reports. Billy Rios is what is known as a "white hat" hacker, an independent security researcher who works to find security flaws in software and devices and provides the findings to companies so that they can fix the vulnerabilities. After developing an interest in hacking medical devices, Rios ordered his own Hospira Symbiq infusion pump and worked on it at home, eventually discovering alarming vulnerabilities.

"Rios connected his pump to a computer network, just as a hospital would, and discovered it was possible to remotely take over the machine and "press" the buttons on the device's touchscreen, as if someone were standing right in front of it. He found that he could set the machine to dump an entire vial of medication into a patient," writes Bloomberg.

"A doctor or nurse standing in front of the machine might be able to spot such a manipulation and stop the infusion before the entire vial empties, but a hospital staff member keeping an eye on the pump from a centralized monitoring station wouldn't notice a thing, he says."

Rios was not the only hacker to make such discoveries. Jay Radcliffe, a researcher who was also diabetic, demonstrated at the 2011 Def Con conference how he could hack into his Medtronic insulin pump and hijack it to deliver a dose that could prove lethal. In 2012, hacker Barnaby Jack showed Australian conference attendees how to remotely hack into a pacemaker to give a patient a dangerous shock. In 2013, Jack was scheduled to reveal a system at the Black Hat conference that would be able to locate any wirelessly-connected insulin pumps within a radius of 300 feet and then change the doses the pumps administered, but he died one week before the conference.

The Washington Post writes that such threats are so real that former Vice President Dick Cheney's doctor had the Bluetooth function in Cheney's pacemaker disabled in 2013 in order to avert potential assassination attempts via hacking.

"It seemed to me to be a bad idea for the vice president to have a device that maybe somebody on a rope line or in the next hotel room or downstairs might be able to get into-- hack into," said Dr. Jonathan Reiner.

Cheney agreed, stating that he thought the possibility was "credible."

What about the rest of us, those who live far out of the public eye? The risk is still real, writes InformationWeek, even if it is less likely: "Although a far more likely scenario would be for a cybercriminal to attack a hospital's Wi-Fi network (sometimes insanely easy to access) to gain access to all stored medical data, there's still a chance that a specific lifesaving piece of equipment could be targeted."

And even apart from the possibility of a patient receiving a lethal dose of a medication because their medical device has been hacked, many people may not view the prospect of a device tracking them with a kindly eye, even if the purpose is to provide their doctors with updated information about their progress as outpatients. Might some not see such features as an invasion of privacy too great to be endured and, as a result, reject the devices outright? If this happens, what will it mean for their health?

Drawing a Line

It is clear that a line must be drawn between the increased convenience we enjoy from the use of Bluetooth and other wireless technologies and the too-ubiquitous integration of such technologies into every aspect of our lives from our phones to our bodies. The only question is where to draw that line.

References: The Verge, PCWorld, Dictionary.com, 60 Minutes, ComputerWeekly, BBC, NBC News, The Houston Chronicle, Bloomberg, The Washington Post, InformationWeek