Jacksonville, Florida - The vulnerable units were using 24-bit RSA authentication and a three-byte hardcoded override code.

Every now and then the world tricks you into thinking that it’s a nice, happy place. That’s why terror-inducing headlines like today’s – that nearly half a million people have vulnerable pacemakers that require an immediate firmware update – are good for reminding us that we are all doomed.

Late last month, the US Food and Drug Administration (FDA) approved a firmware update for pacemakers made by Abbott’s (formerly St. Jude’s Medical), and now it is politely insisting that you get that firmware update at your earliest possible convenience, lest you meet a horrible fate. Some 465,000 patients currently have a device in their chest that is vulnerable to cyber attacks and sudden battery loss.

A pacemaker is a small device that helps to regulate irregular heartbeats. You can see why a vulnerability in one is a terrifying prospect. in this case the pacemakers’ vulnerability is found in their radio frequency-enabled “implantable cardioverter defibrillators” and “cardiac resynchronization therapy defibrillators.”

What can happen if these pacemakers are attacked?

The Abbott’s pacemaker vulnerabilities allow for an attacker to access the vulnerable device using commercially available equipment.

This unauthorized user could then modify programming commands to the implanted defibrillator, which could result in patient harm from rapid battery depletion (unrelated to lithium clusters), or administration of inappropriate pacing or shocks.

Now, it’s worth noting that – probably in an attempt not to scare the you-know-what out of people – the FDA just kind of slipped “shocks” in there at the end. We’re not talking a little snap like you get when you drag your feet across the office carpet and then reach for the door knob. We’re talking defribrillator shocks. Something that can both start a stopped heart, and stop a beating one. What’s even scarier is that this can be done using RF at a distance.

What kind of security did these pacemakers have in place?

Before I go any further, it’s worth noting that some of these devices are a bit older. Pacemakers are supposed to last a while, so not all of the affected devices are the latest and greatest. But some do trend newer and that makes the safeguards in place seem even more egregious. The pacemakers in question used 24-bit RSA authentication and had a three-byte override code that is hardcoded into each device. That means it would be trivially easy to compromise one of these things. To give you a sense of context, the current CAB Forum minimum requirement is 112-bit, and even that isn’t completely secure.

Suffice it to say, moving forward the entire medical device industry – not just Abbotts – will need to pay more attention to securing connected medical devices because someone could actually die from this vulnerability. Fortunately, the FDA reports there are no known cases of a pacemaker being hacked. Still, considering the stakes this isn’t something anyone can afford to take chances with.

What Abbott pacemakers are affected?

Here’s the list, as provided by the FDA:

  • Current
  • Promote
  • Fortify
  • Fortify Assura
  • Quadra Assura
  • Quadra Assura MP
  • Unify
  • Unify Assura
  • Unify Quadra
  • Promote Quadra
  • Ellipse

How does a pacemaker get a firmware update?

Good question. It’s not exactly an easy process, definitely not something the can be done at home. If you are one of the people affected by this vulnerability you will need to make an appointment with your doctor. The firmware update will take about three minutes, during which time your pacemaker will operate in backup mode.

As with any firmware update, there is a very low risk of an update malfunction. Based on Abbott’s previous firmware update experience from the August 2017 pacemaker firmware release and the similarities in the update process, installing the updated firmware on the ICDs and CRT-Ds could potentially result in the following malfunctions:

  • discomfort due to backup VVI pacing settings;
  • reloading of the previous firmware version due to an incomplete update;
  • inability to treat ventricular tachycardia/fibrillation while in back-up mode as high voltage therapy is disabled;
  • device remaining in back-up mode due to an unsuccessful update, and;
  • loss of currently programmed device settings or diagnostic data.

The August 2017 firmware update to Abbott pacemaker devices has had no reports of serious adverse events to date. For those devices, approximately 0.62% of devices experienced an incomplete update and remained in the back-up pacing mode. However, in each case, the devices were restored to the prior firmware version or received the update successfully after Technical Services was contacted and intervened.

One final word

It’s a sad statement about the state of the world that we have to worry about someone hacking pacemakers, but here we are. Despite the fact that you would have to be just an absolute piece of trash to exploit a vulnerability like this, we can’t afford to ignore it and presume nobody would stoop that low. This is the same reason we have safety wraps and seals on aspirin bottles, because there are depraved people out there.

Finally, if this post came off a little heavy-handed, I apologize, but that was purposeful. This is important. It could literally be a matter of life or death. If you or a loved one has a pacemaker, double-check that this firmware update doesn’t apply. Better safe than sorry.