465k Pacemakers vulnerable; users must visit doctors for fix

Are you using Pacemaker device manufactured by Abbott Laboratories (previously St. Jude Medical)? If yes, this article is especially for you.

It is no surprise that Pacemaker, the small device that is implanted in the body of a patient to deal with life-threatening cardiac rhythmic issues are open to critical vulnerabilities. Now, Food and Drug Administration (FDA) has sent out a security notice that around 465,000 (half a million) Pacemaker devices are vulnerable to hack attacks and require a critical software update to protect them.

These existing vulnerabilities can allow hackers to modify the settings of a targeted device and turn it off which can be fatal for patients since Pacemakers (Pdf) use batteries to send electric signals to the heart to help it pump the right way. The pacemaker is connected to the heart by one or more wires.

More: Johnson & Johnson’s Insulin Pumps vulnerable to cyber attacks

“These vulnerabilities, if exploited, could allow an unauthorized user (i.e., someone other than the patient’s physician) to access a patient’s device using commercially available equipment. This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing,” the FDA wrote.

The Pacemakers under discussion were manufactured by Abbott Laboratories (previously St. Jude Medical). To receive a firmware update to fix vulnerabilities in their device, patients must visit their doctors and healthcare provider in the United States while 280,000 devices are entitled to receive update outside the United States.

The list of vulnerable devices include:

Accent
Anthem
Accent MRI
Accent ST
Assurity
Allure

Currently, there are no reports or indications of unauthorized access to any patient’s implanted device. Abbott, on the other hand, said it would also update the software embedded in pacemakers to reduce the risk of hacking.

In 2016, Muddy Waters released a report claiming that pacemakers and other implantable devices manufactured by St. Jude Medical are vulnerable to life threatening cyber attacks. In return, St. Jude Medical not only rejected Muddy Waters’s report but also filed a lawsuit for defamation. However, FDA Homeland Security conducted an investigation and confirmed that Muddy Waters’s findings were legitimate.

More: Researcher Claims Hospital Drug Pumps Can Be Hacked

In May this year, WhiteScope security researchers found thousands of critical security flaws in Pacemakers leaving them vulnerable to cyber attacks that can potentially bring about some fatal consequences since the attackers can even adjust the pacemaker should they choose to; posing a grave risk to the lives of patients.

Featured image via: Rick Thompson

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.