St Jude and Abbot Pacemakers Need Security Update.

If you or someone you know uses a pacemaker from Abbot or St Jude Medical, there is a firmware upgrade waiting for you at your next check-up.  Or even sooner, depending on what you and your doctor decide.  This upgrade closes a security hole that could allow an unauthorized person or attacker to change programming on the pacemaker.  This vulnerability can lead to sudden loss of battery power, an increase or reduction in the pacer timing, or deliver unexpected defibrillation shocks.  These commands could be sent over the radio connection these pacemakers use to communicate with their base station and the doctor.

We have spent some time reporting about the massive cybersecurity nightmare that is the “Internet of Things.”  The list of devices that have been successfully hacked include web cameras, environmental control systems, home network hubs, Internet and wireless routers, and automobiles.  This is only a partial list, but you can use your imagination to figure out why attacks on these devices may be bad for your health.

The issue with the pacemakers was discovered by security researcher MedSec back in September 2016.  As is often the case, instead of thanking the researchers, SJM sued them.  Once the FDA investigated and confirmed the report, St Jude dropped the lawsuit and worked on fixing the problem.  The main issue was the use of weak 24-bit RSA encryption used in authentication, and the use of a hard-coded 3 byte override code.  These issues are being addressed in the firmware update.  There is a very low risk of failure (0.62%) and when these updates have failed in the past, they were successfully upgraded on a second attempt.  So a very low risk factor.

Here’s the list of affected devices:

  • Current
  • Promote
  • Fortify
  • Fortify Assura
  • Quadra Assura
  • Quadra Assura MP
  • Unify
  • Unify Assura
  • Unify Quadra
  • Promote Quadra
  • Ellipse

There are no known cases where a pacemaker has been taken over by an unauthorized person, so far.  The upgrade procedure can be done in the doctor’s office without surgery, lasts about 3 minutes, and may cause brief discomfort.   During the upgrade, the device runs in backup mode at 67 beats per minute, and would be unable to respond to a cardiac event that occurred during the upgrade.  This not a should do, but a must do, so check with your cardiologist and find out what your treatment plan is for this upgrade.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.