Firmware Update Approved for 745,000 Pacemakers

Pacemakers regulating the heartbeats of 465,000 individuals in the US will get new firmware to prevent unauthorized access. The update, approved by the US Food and Drug Administration, fixes security vulnerabilities that could let an attacker nearby affect the way the device functions. Patients who want a more secure pacemaker should visit their doctors to install the latest firmware version.

The cardiac devices are manufactured by St. Jude Medical and were the subject of a heated debate last year after investment company Muddy Watters Capital made public a report showing the vulnerable state of the pacemakers, without consulting the maker first. St. Jude Medical rejected the findings and sued Muddy Watters and MedSec, the cyber security firm that identified the hazards. However, a patch became available, fixing the bugs shortly after Abbott Laboratories acquired St. Jude in early January.

The FDA approved the new firmware recently and, in a safety communication, it offers details about the update procedure and the risks it involves. For the three minutes it takes to carry out the update, the device runs in backup mode and paces at 67 beats per minute, with life-sustaining features being available. The risks were calculated based on previous update procedures from St. Jude, which have shown a very low rate of malfunction– the rate of complete loss of functionality is 0.003%.

The affected devices are Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI. An advisory from US ICS-CERT details the flaws, explaining that “exploitation of these vulnerabilities may allow a nearby attacker to gain unauthorized access to a pacemaker and issue commands, change settings, or otherwise interfere with the intended function of the pacemaker.”

One security gap highlighted in the advisory refers to the authentication algorithm, which could be bypassed or compromised to issue commands to a vulnerable device through its radio-frequency communication channel. Another fault concerns lack of encryption when some of the pacemakers exchange patient data with their programming units. A third vulnerability could allow the repetitive sending of commands that rapidly run down the battery. Abbott’s update ensures encrypted data transmission and integrates protection and limitation of commands that can be sent via radio frequency communication.

Almost half a million of the vulnerable pacemakers are used by patients in the US, but BBC News learned from Abbott that 280,000 of them are available in other countries. This increases the number of affected cardiac devices to 745,000. Although the vulnerabilities have been exploited in public demonstrations, the attack code has remained private. The FDA says that there are no known reports of patients being harmed as a result of exploiting any of the vulnerabilities.

Credit: St. Jude Medical