About 350,000 implantable defilibrators are up for a firmware update, to address potentially life-threatening vulnerabilities.
Abbott (formerly St. Jude Medical) has released another upgrade to the firmware installed on certain implantable cardioverter defibrillator (ICD) or cardiac resynchronization therapy defibrillator (CRT-D) devices. The update will strengthen the devices’ protection against unauthorized access, as the provider said in a statement on its website: “It is intended to prevent anyone other than your doctor from changing your device settings.”
The patch is part a planned series of updates that began with pacemakers, programmers and remote monitoring systems in 2017, following 2016 claims by researchers that the then-St. Jude’s cardiac implant ecosystem was rife with cybersecurity flaws that could result in “catastrophic results.”
“It’s important to note that the FDA advisory is not based on any new cybersecurity vulnerabilities that have been identified – it’s all part of the same effort, just now on a new set of products,” an Abbott spokesperson told Threatpost. “Any time we make an update to a new product, we need to develop, test, validate and secure regulatory approval for the software changes for each product. We did these updates sequentially, beginning with pacemakers in 2017, and at the time we indicated that there would be future updates to defibrillators. These are those updates. Finally, as was the case in 2017, there remain no reports of unauthorized access to any patient’s implanted device.”
The original issue lies in a universal, hardcoded unlock code that, if discovered, would give a hacker backdoor access to all affected devices. Also, the Merlin@home transmitter was found to be vulnerable to a man-in-the-middle attack. When taken together, the backdoor could be exploited to send commands from the Merlin@home transmitter, so that an attacker could manipulate the implants and cause heart problems and even death.
The findings, from MedSec and Muddy Waters, resulted in a defamation suit by the medical provider against the security researchers, but after a damning FDA report (and a U.S. Department of Homeland Security ICS-CERT advisory) that backed up the concerns as legitimate, St. Jude subsequently started rolling out updates. It also issued a voluntary recall.
That same FDA report also noted that St. Jude had been aware of the problem since at least 2014.
It should be noted that Abbott is not alone in building devices without adequate security built into its design. Last year, 8,000 vulnerabilities were discovered across seven different pacemaker programmers (a device used for programming pacemakers) from four different manufacturers. White Scope, which reported all of the vulnerabilities to DHS ICS-CERT, focused its research on programmers that have RF capabilities. Thousands of flaws in third-party libraries came to light—and all of the programmers that White Scope examined had outdated software with known vulnerabilities. For instance, many of them run Windows XP.
“Connected devices have become the weakest link in a hospital’s cybersecurity chain,” Leon Lerman, CEO at Cynerio, told Threatpost. “These connected devices were not built with security in mind, they very often run obsolete operating systems, use unsecure communication protocols and are typically out of scope for traditional IT security solutions, and therefore are difficult to protect. Hospitals must act to secure their ecosystem, and protect the data of their patients – the success of a cyberattack really could be a case of life or death.”
Abbott said that it has had no reports of hacking or unauthorized access to any patient’s device, but the pacemaker-hacking scenario has been proven out in past security research. In 2012, the late IoT researcher Barnaby Jack, then at IOActive, demonstrated that several vendors’ pacemakers could be remotely controlled and commanded to deliver a 830-volt shock via a laptop, That is, of course, enough to kill someone, and Jack noted at the time that the vulnerabilities open the door to “mass murder.”
“With the number of IoT and connected devices being used within hospitals constantly increasing and diversifying in their nature, the exposure to potential breaches is great; [vulnerable] devices can vary from MRI machines to an insulin pump, the latter of which could result in an attacker administering a fatal dose,” Lerman said.
In Abbott’s case, getting the update requires an in-office visit, but it’s non-intrusive: “During the upgrade a wand will be placed over your ICD or CRT-D and will transfer the information to the device,” Abbott said. “At the end of the process, the final settings on your device will be reviewed to ensure that the updates have been completed successfully. The upgrade process takes approximately three minutes to complete.”
Abbott also suggests that patients discuss with their doctor to find out if the update “is right for you” – a choice that at least one researcher flagged as indicative of not thinking cybersecurity through.
“It’s great to see security updates being pushed by medical device manufacturers, but turning the physician into a medical-device ‘Genius Bar’ employee seems like a questionable choice,” said Rod Schultz, chief product officer at Rubicon Labs. “This process does not scale, and device security, firmware updates, and authentication are definitely not in the core competency of most heavily overworked physicians. This problem is only going to get harder to solve as we connect more and more devices, and cloud services to fix this problem are desperately needed.”