Abbott to fix critical vulnerabilities in 350,000 ICDs & Pacemakers

Abbott has recalled around 350,000 implantable defibrillators for firmware upgrading because these devices are identified to be containing life-threatening flaws and vulnerable to exploitation. The company, formerly known as St. Jude Medical, has recalled such a huge number of devices to patch the flaw and protect patients from putting their lives in danger through hacked pacemakers.

Reportedly, some of the implantable cardioverter defibrillators (ICD) also known as cardiac resynchronization therapy defibrillator (CRT-D) devices from Abbott will be undergoing firmware upgrade. Through the upgrade, the devices or pacemakers as we commonly refer to them will provide improved protection against hack attacks, unauthorized access, and about 465,000 affected patients will be protected from life-threatening situations.

Last year, security researchers MedSec and Muddy Waters identified flaws in Abbott pacemakers but the company rubbished the claims and went on to file a defamation suit against the researchers.
However, FDA’s report and a U.S Department of Homeland Security ICS-CERT advisory also seconded the findings of the researcher duo putting pressure on Abbott to fix the flaws. Hence, Abbott was left with no other choice but to start releasing firmware updates and issue a voluntary recall. The FDA report revealed that Abbott had been aware of the issues with its pacemakers since 2014.

See: Medicine pumps & Pacemaker threat as Dr’s simulate hacked overdose

After upgrading, nobody except for the doctor will be able to implement changes in the pacemaker. The update has been approved by the FDA and includes a pair of vital sounding fixes as well as security updates. After the firmware upgrading, the device will be able to detect if its battery drains out quicker than expected and will notify the patient accordingly.

According to its website, Abbott has planned a series of updates for its implantable devices, remote monitoring systems, and programmers. Pacemaker patching is the first part of this series that was planned in 2017 after there were claims from researchers that the cardiac implantation devices were plagued with security flaws, which may lead to devastating results. The company is requesting patients to contact their doctors prior to getting the implantation procedure done.

The issue with pacemakers developed by Abbott is related to a hardcoded unlock code. If this code is identified by a hacker then it would become quite easy to obtain backdoor access to all vulnerable devices. Merlin@home transmitter was also identified to be vulnerable to Man-in-the-Middle attack. If collectively exploited, a hacker can send commands from the Merlin@home transmitter to manipulate the implants and create cardiovascular issues that may lead to the death of the patient.

Abbott claims that there haven’t been any reports about its pacemakers being exploited by hackers or somebody gaining unauthorized access to the implanted devices. To get the updates an in-office visit is required but the updating process itself would be non-intrusive. As explained by Abbott:

See: Johnson & Johnson’s Insulin Pumps vulnerable to cyber attacks

“During the upgrade, a wand will be placed over your ICD or CRT-D and will transfer the information to the device. At the end of the process, the final settings on your device will be reviewed to ensure that the updates have been completed successfully. The upgrade process takes approximately three minutes to complete.”

The company recommends that patients consult their doctors regarding which is the right update for them. So far nearly 50,000 firmware updates have been carried out on installed devices and the FDA and Abbott both affirmed that there haven’t been any issues so far.

Source: SJM | Via: ThreatPost

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.