Patients with pacemakers manufactured by Abbott — formerly St. Jude Medical’s — are advised to reach out to their doctors and inquire about the availability of a security update for their implanted medical devices.
The security update will fix three vulnerabilities discovered last year by MedSec Holdings Ltd.. The flaws are detailed in a security alert issued by the Department of Homeland Security’s CERT team.
Flaws are not easy to exploit
US CERT says the flaws allow attackers to gain access to a pacemaker and issue commands, change settings, or otherwise interfere with the intended function of the pacemaker.
Despite the dire consequences, US CERT experts say the attacks are not easy to pull off, as there’s no public exploit code to help attackers develop their own attack packages, and exploitation requires a high level of skills, that very few programmers possess.
In addition, attackers need to be sufficiently close (few inches) to the target pacemaker as to allow RF communications.
The flaws were discovered by MedSec, a company that Abbott is very familiar with. In September 2016, Abbott sued MedSec and fellow security company Muddy Waters, claiming the two companies organized a media stunt on the back of vulnerabilities in its pacemakers. Those flaws, detailed here, were eventually fixed in January 2017.
The recent vulnerabilities discovered by MedSec were also fixed about the same time, but the US Food and Drug Administration (FDA) only yesterday approved the pacemaker software patches for public release.
Patients urged to contact doctors
The FDA and Abbott are now encouraging patients to reach out to doctors and inquire about their pacemaker brand and if they need to schedule sessions to receive the security update.
Abbott estimates it would take around three minutes for doctors to install the update by placing an RF wand over the pacemaker. Worst case scenarios include:
— reloading of previous firmware version due to an incomplete update
— loss of currently programmed device settings (0.023%)
— complete loss of device functionality (0.003%)
— loss of diagnostic data (not reported).
Abbott, US CERT, and the FDA said no attacks using the MedSec flaws were reported or discovered. According to FDA data, there are around 465,000 pacemakers installed across the US that are impacted by the disclosed vulnerabilities.
Abbott acquired St. Jude Medical’s in late 2016 – early 2017.