St Jude and Abbot Pacemakers Need Security Update.

If you or someone you know uses a pacemaker from Abbot or St Jude Medical, there is a firmware upgrade waiting for you at your next check-up.  Or even sooner, depending on what you and your doctor decide.  This upgrade closes a security hole that could allow an unauthorized person or attacker to change programming on the pacemaker.  This vulnerability can lead to sudden loss of battery power, an increase or reduction in the pacer timing, or deliver unexpected defibrillation shocks.  These commands could be sent over the radio connection these pacemakers use to communicate with their base station and the doctor.

We have spent some time reporting about the massive cybersecurity nightmare that is the “Internet of Things.”  The list of devices that have been successfully hacked include web cameras, environmental control systems, home network hubs, Internet and wireless routers, and automobiles.  This is only a partial list, but you can use your imagination to figure out why attacks on these devices may be bad for your health.

The issue with the pacemakers was discovered by security researcher MedSec back in September 2016.  As is often the case, instead of thanking the researchers, SJM sued them.  Once the FDA investigated and confirmed the report, St Jude dropped the lawsuit and worked on fixing the problem.  The main issue was the use of weak 24-bit RSA encryption used in authentication, and the use of a hard-coded 3 byte override code.  These issues are being addressed in the firmware update.  There is a very low risk of failure (0.62%) and when these updates have failed in the past, they were successfully upgraded on a second attempt.  So a very low risk factor.

Here’s the list of affected devices:

  • Current
  • Promote
  • Fortify
  • Fortify Assura
  • Quadra Assura
  • Quadra Assura MP
  • Unify
  • Unify Assura
  • Unify Quadra
  • Promote Quadra
  • Ellipse

There are no known cases where a pacemaker has been taken over by an unauthorized person, so far.  The upgrade procedure can be done in the doctor’s office without surgery, lasts about 3 minutes, and may cause brief discomfort.   During the upgrade, the device runs in backup mode at 67 beats per minute, and would be unable to respond to a cardiac event that occurred during the upgrade.  This not a should do, but a must do, so check with your cardiologist and find out what your treatment plan is for this upgrade.

More information:

0

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.