St Jude and Abbot Pacemakers Need Security Update.

If you or someone you know uses a pacemaker from Abbot or St Jude Medical, there is a firmware upgrade waiting for you at your next check-up.  Or even sooner, depending on what you and your doctor decide.  This upgrade closes a security hole that could allow an unauthorized person or attacker to change programming on the pacemaker.  This vulnerability can lead to sudden loss of battery power, an increase or reduction in the pacer timing, or deliver unexpected defibrillation shocks.  These commands could be sent over the radio connection these pacemakers use to communicate with their base station and the doctor.

We have spent some time reporting about the massive cybersecurity nightmare that is the “Internet of Things.”  The list of devices that have been successfully hacked include web cameras, environmental control systems, home network hubs, Internet and wireless routers, and automobiles.  This is only a partial list, but you can use your imagination to figure out why attacks on these devices may be bad for your health.

The issue with the pacemakers was discovered by security researcher MedSec back in September 2016.  As is often the case, instead of thanking the researchers, SJM sued them.  Once the FDA investigated and confirmed the report, St Jude dropped the lawsuit and worked on fixing the problem.  The main issue was the use of weak 24-bit RSA encryption used in authentication, and the use of a hard-coded 3 byte override code.  These issues are being addressed in the firmware update.  There is a very low risk of failure (0.62%) and when these updates have failed in the past, they were successfully upgraded on a second attempt.  So a very low risk factor.

Here’s the list of affected devices:

  • Current
  • Promote
  • Fortify
  • Fortify Assura
  • Quadra Assura
  • Quadra Assura MP
  • Unify
  • Unify Assura
  • Unify Quadra
  • Promote Quadra
  • Ellipse

There are no known cases where a pacemaker has been taken over by an unauthorized person, so far.  The upgrade procedure can be done in the doctor’s office without surgery, lasts about 3 minutes, and may cause brief discomfort.   During the upgrade, the device runs in backup mode at 67 beats per minute, and would be unable to respond to a cardiac event that occurred during the upgrade.  This not a should do, but a must do, so check with your cardiologist and find out what your treatment plan is for this upgrade.

More information:


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.