Patients with pacemakers manufactured by Abbott — formerly St. Jude Medical's — are advised to reach out to their doctors and inquire about the availability of a security update for their implanted medical devices.
The security update will fix three vulnerabilities discovered last year by MedSec Holdings Ltd.. The flaws are detailed in a security alert issued by the Department of Homeland Security's CERT team.
US CERT says the flaws allow attackers to gain access to a pacemaker and issue commands, change settings, or otherwise interfere with the intended function of the pacemaker.
Despite the dire consequences, US CERT experts say the attacks are not easy to pull off, as there's no public exploit code to help attackers develop their own attack packages, and exploitation requires a high level of skills, that very few programmers possess.
In addition, attackers need to be sufficiently close (few inches) to the target pacemaker as to allow RF communications.
The flaws were discovered by MedSec, a company that Abbott is very familiar with. In September 2016, Abbott sued MedSec and fellow security company Muddy Waters, claiming the two companies organized a media stunt on the back of vulnerabilities in its pacemakers. Those flaws, detailed here, were eventually fixed in January 2017.
The recent vulnerabilities discovered by MedSec were also fixed about the same time, but the US Food and Drug Administration (FDA) only yesterday approved the pacemaker software patches for public release.
The FDA and Abbott are now encouraging patients to reach out to doctors and inquire about their pacemaker brand and if they need to schedule sessions to receive the security update.
Abbott estimates it would take around three minutes for doctors to install the update by placing an RF wand over the pacemaker. Worst case scenarios include:
Abbott, US CERT, and the FDA said no attacks using the MedSec flaws were reported or discovered. According to FDA data, there are around 465,000 pacemakers installed across the US that are impacted by the disclosed vulnerabilities.
Abbott acquired St. Jude Medical's in late 2016 - early 2017.