FDA Recalls 465K Pacemakers Tied to MedSec Research

Abbott Laboratories releases software fixes for pacemakers that could allow an attacker to wirelessly access the devices and steal personal data, drain the battery and disrupt normal life-sustaining operations.

The United States Federal Drug Administration is recalling 465,000 pacemakers that attackers can gain unauthorized access to issue commands, change settings and maliciously disrupt. Affected are four models manufactured by Abbott Laboratories.

According to the FDA, the recalls of affected pacemakers are tied to research by MedSec Holdings that originally brought St. Jude Medical equipment flaws to light about a year ago. Abbott Laboratories acquired St. Jude Medical in January.

“Abbott has produced a firmware patch to help mitigate the identified vulnerabilities in their pacemakers that utilize radio frequency communications. A third-party security research firm has verified that the new firmware version mitigates the identified vulnerabilities,” according to a FDA.

“This incident is a reminder of how software has become integral to almost every aspect of our lives,” said Mike Pittenger, director of security strategy for security firm Black Duck. “As software ages more vulnerabilities are discovered. Why would software in a pacemaker or in a drug infusion pump be any different?”

The U.S. Industrial Control System Cyber Emergency Response Team (ICS-CERT) cites three vulnerabilities in its advisory affecting Abbott Laboratories’ pacemakers manufactured prior to August, 2017 that include Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI.

The highest rated of the three vulnerabilities (CVE-2017-12712) is related to the pacemaker’s authentication algorithm, authentication key and time stamp that can be compromised or bypassed. That could allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications.

An additional bug (CVE-2017-12714) could significantly reduce the battery life of a pacemaker. “The pacemakers do not restrict or limit the number of correctly formatted ‘RF wake-up’ commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life,” according to the ICS-CERT advisory.

A third flaw (CVE-2017-12716) found in Accent and Anthem pacemakers is related to the fact the devices transmit unencrypted patient information via RF communications to programmers and home monitoring units. Also problematic is that both pacemakers store patient data in clear text on the devices themselves.

“These vulnerabilities could be exploited via an adjacent network. Exploitability is dependent on an attacker being sufficiently close to the target pacemaker as to allow RF communications,” according to recall information.

This is the second time Abbott Laboratories has updated the heart implants. Last October, as a result of a U.S. government probe into potentially life-threatening hacks that could prematurely drain pacemaker batteries, St. Jude recalled a number of implanted heart devices. According to a Reuters report, premature battery depletion have been linked to two deaths in Europe.

Mitigation will require patients to visit their doctor for a short-range wireless update. Abbott warns the firmware updates should be approached with caution. “Like any software update, firmware updates can cause devices to malfunction,” it states. A botched update could result in a loss of settings to complete loss of device functionality.

In April, the FDA sent Abbott Laboratories a warning letter citing that it had inadequately addressed the security of the maligned Merlin@home Transmitter. The Merlin@home Transmitter is a radio frequency transmitter designed by St. Jude Medical for at-home monitoring of patients with implanted defibrillators.

Vulnerabilities in the Merlin device and in others sold by St. Jude Medical and Abbott Laboratories, were at the center of a report published last August by hedge fund Muddy Waters and MedSec Holdings. The disclosure was compounded by a short position Muddy Waters held on St. Jude Medical stock that allowed it and MedSec to profit should St. Jude stock drop in value.

“Healthcare providers and patients should discuss the risk and benefits of the cybersecurity vulnerabilities and associated firmware update during the next regularly scheduled visit,” according to the FDA recall. As part of this discussion, it is important to determine if the update is appropriate given the risk of update for the patient, ICS-CERT said.

Suggested articles