An acquaintance of mine told me he received a notification from his doctor about cybersecurity vulnerabilities in his pacemaker. He’s not alone, considering the FDA issued an alert about security flaws in 465,000 pacemakers which use radio frequency communications and came from Abbott (formerly St. Jude Medical).
The “fix” is not a surgical replacement pacemaker, but a firmware update which takes about three minutes to complete and carries a “very low risk of update malfunction;” a very small percentage of people might experience a “complete loss of device functionality” during the firmware update. The patch covers St. Jude Medical’s pacemakers: Accent, Anthem, Accent MRI, Accent ST, Assurity and Allure.
His doctor, who he swears has been very good to him in the past, said he could come in and have the firmware fix if he wanted to, but suggested against it as if it wasn’t much of an issue. Unlike some pacemaker patients, this dude works in IT and understands the impact described in the ICS-CERT advisory:
Successful exploitation of these vulnerabilities may allow a nearby attacker to gain unauthorized access to a pacemaker and issue commands, change settings, or otherwise interfere with the intended function of the pacemaker.
The pacemaker vulnerabilities include improper authentication which can be compromised or bypassed, another flaw which could allow a nearby attacker to issue commands to drain the battery, as well as sensitive patient information being transmitted without encryption.
The code to exploit the pacemakers is reportedly not floating around in the wild, but it seems unwise for any cardiologist to downplay the risks and discourage patients from coming in to get the firmware update. Perhaps not all understand why the firmware is important; after all, an Abbott press release noted that “an advisory issued by the U.S. Department of Homeland Security, compromising the security of these devices would require a highly complex set of circumstances.”