Abbott, a pharmaceutical company known for manufacturing pacemakers, has recently started stated that patients who use their pacemakers should go to their doctors in order to have their devices updated with a security patch. The update is supposed to fix three recently detected security vulnerabilities which could potentially be exploited by a skilled hacker. The vulnerabilities are outlined in report issued by the Center of Emergency Readiness (CERT) team of the Department of Homeland Security (DHS). Here is a link to the full alert report.
How can the flaws be exploited
In order for a hacker to be able to exploit the detected vulnerabilities of the pacemakers, sufficient skill level in programming would be required as there’s no exploit code available for the public. This means that the attacker would have to create their own exploit package after figuring out the exploit code – something that very few programmers would be able to do. This is good news since the chances of people having their pacemakers hacked into are rather low. Additionally, in order for such a criminal operation to be successful, the hacker would need to be in close range of their victim (a couple of inches) and remain there for several minutes. This is because the only way to hack into the pacemaker is by using radio frequency communication.
That said, if a cyber-criminal somehow manages to pull off such an attack, the consequences could be rather disturbing and highly dangerous. If the pacemaker is hacked, its settings could be altered or the device could even be shut down. As this is a form of a life-supporting technology, having anything happen to it can pose direct risk to one’s life.
Vulnerabilities in Abbott pacemakers were found back in 2016
MedSec, a company that focuses on security research for healthcare technology claimed to had detected security flaws in the pacemakers of Abbot back in 2016. Following this, Abbott issued a lawsuit against MedSec and another company known as Muddy Waters, with accusations that the statements made towards the security of the pacemakers were false and financially motivated.
The recently detected flaws which lead to the new patches by Abbot have been fixed back in January this year, yet FDA approved the public release of the updates only a couple of days ago. Currently, there are approximately 465 000 Abbot pacemakers in USA that contain the detected vulnerabilities and that need to receive an update. The models of impacted devices are as follows: Assurity, Accent, Anthem, Allure, Accent ST, Accent MRI.
The updating process
The pharmaceutical company has issued guide manuals for both the doctors and their patients in order to ensure the smooth and swift introduction of the software patches. In order for the doctor to update the pacemaker device, they’d need to use a RF stick that needs to be held near the device for a couple of minutes until the update is finished. Patients are encouraged to reach out to their doctors so as to have their devices patched and any security flaws removed from them. There are a couple of potential, though highly unlikely, issues which might arise such as reloading of previous software versions as a result of incomplete updates or loss of the current device settings. In the worst case scenario, the device might lose its functionality, yet the chances of this happening have been estimated to be approximately around 0.003%. So far, no exploitation of the security flaws has been reported according to FDA and CERT.