Abbott Laboratories’ (formerly St. Jude Medical) created a firmware patch to help mitigate vulnerabilities in their pacemakers that utilize radio frequency (RF) communications, according to a report with ICS-CERT.
MedSec Holdings Ltd discovered the vulnerabilities. A third-party security research firm verified the new firmware version mitigates the vulnerabilities.
The Food and Drug Administration (FDA) released a safety communication on August 29, Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott Park, IL-based Abbott’s (formerly St. Jude Medical’s) Implantable Cardiac Pacemakers: FDA Safety Communication, regarding the identified vulnerabilities and corresponding mitigation. In response, ICS-CERT released an advisory to provide additional detail to patients and healthcare providers.
The following pacemakers manufactured prior to August 28 suffer from the issue:
• Accent MRI
• Assurity MRI
Successful exploitation of these vulnerabilities may allow a nearby attacker to gain unauthorized access to a pacemaker and issue commands, change settings, or otherwise interfere with the intended function of the pacemaker.
The affected pacemakers are implantable medical devices designed to deliver electrical pulses to correct a slow heartbeat or no heartbeat at all. These pacemakers see action across the healthcare and public health sectors. These products see use on a global basis, however, Accent and Anthem are no longer sold in the U.S.
In one vulnerability, the pacemaker’s authentication algorithm, which involves an authentication key and time stamp, can end up compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications.
CVE-2017-12712 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
In addition, the pacemakers do not restrict or limit the number of correctly formatted “RF wake-up” commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life.
CVE-2017-12714 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
Also, the Accent and Anthem pacemakers transmit unencrypted patient information via RF communications to programmers and home monitoring units. The Assurity and Allure pacemakers do not contain this vulnerability. Additionally, the Accent and Anthem pacemakers store the optional patient information without encryption; however, the Assurity and Allure pacemakers encrypt stored patient information.
CVE-2017-12716 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 3.1.
These vulnerabilities could be exploited via an adjacent network. Exploitability is dependent on an attacker being sufficiently close to the target pacemaker as to allow RF communications.
Exploitation of vulnerabilities has been publicly demonstrated; however, exploit code is not publicly available.
An attacker with high skill would be able to exploit these vulnerabilities.
Abbott has developed a firmware update to help mitigate the identified vulnerabilities. The version numbers of the firmware update for each product family are as follows:
• Accent/Anthem, Version F0B.0E.7E
• Accent MRI/Accent ST, Version F10.08.6C
• Assurity/Allure, Version F14.07.80
• Assurity MRI, Version F17.01.49
The pacemaker firmware update will implement “RF wake-up” protections and limit the commands that can end up issued to pacemakers via RF communications. Additionally, the updated pacemaker firmware will prevent unencrypted transmission of patient information (Accent and Anthem only). The firmware update can be applied to an implanted pacemaker via the Merlin PCS Programmer by a healthcare provider. It is recommended healthcare providers discuss this update with their patients and carefully consider the potential risk of a cybersecurity attack along with the risk of performing a firmware update. Implementation of the firmware update is to be determined based on the physician’s professional judgment and patient management considerations. Pacemakers manufactured beginning August 28 will have this update preloaded on devices.
Abbott said firmware updates should be approached with caution. Like any software update, firmware updates can cause devices to malfunction. Potential risks include loss of device settings, the device going into back-up mode, reloading of the previous firmware due to a failed upgrade, loss of diagnostic data, and a complete loss of device functionality. The Abbott Cybersecurity Medical Advisory Board has reviewed this firmware update and the associated risk of performing the update in the context of potential cybersecurity risk.
While not intended to serve as a substitute for clinician judgment as to whether the firmware update is advisable for a patient, the Cybersecurity Medical Advisory Board recommends:
• Healthcare providers and patients should discuss the risk and benefits of the cybersecurity vulnerabilities and associated firmware update during the next regularly scheduled visit. As part of this discussion, it is important to consider patient-specific issues such as pacemaker dependence, age of device, patient preference, and provide patients with the “Patient Communication.”
• Determine if the update is appropriate given the risk of update for the patient. If deemed appropriate, install this firmware update following the instructions provided by the manufacturer.
• For pacing dependent patients, consider performing the cybersecurity firmware update in a facility where temporary pacing and pacemaker generator change are readily available, due to the risk of firmware update malfunction.
Patients and healthcare providers with questions can call the dedicated hotline at 1-800-722-3774 (U.S.) or click here for more information.
The FDA issued a safety communication August 29, Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott’s (formerly St. Jude Medical’s) Implantable Cardiac Pacemakers: FDA Safety Communication.