Biz & IT —

465k patients told to visit doctor to patch critical pacemaker vulnerability

A year after calling advisory “false and misleading,” maker warns patients to patch.

465k patients told to visit doctor to patch critical pacemaker vulnerability

Talk about painful software updates. An estimated 465,000 people in the US are getting notices that they should update the firmware that runs their life-sustaining pacemakers or risk falling victim to potentially fatal hacks.

Cardiac pacemakers are small devices that are implanted in a patient's upper chest to correct abnormal or irregular heart rhythms. Pacemakers are generally outfitted with small radio-frequency equipment so the devices can be maintained remotely. That way, new surgeries aren't required after they're implanted. Like many wireless devices, pacemakers from Abbott Laboratories contain critical flaws that allow hijackers within radio range to seize control while the pacemakers are running.

"If there were a successful attack, an unauthorized individual (i.e., a nearby attacker) could gain access and issue commands to the implanted medical device through radio frequency (RF) transmission capability, and those unauthorized commands could modify device settings (e.g., stop pacing) or impact device functionality," Abbott representatives wrote in an open letter to doctors.

The update will require patients to visit a clinic where doctors will put the pacemakers in backup mode while the firmware is being patched. The Abbott letter said that, for certain patients, the update should be performed "in a facility where temporary pacing and pacemaker generator change are readily available, due to the very small estimated risk of firmware update malfunction." An advisory issued by the Food and Drug Administration said 465,000 pacemakers in the US alone are affected. The number of pacemakers in other countries wasn't immediately available.

Reports of potentially life-threatening vulnerabilities in electronic pacemakers, insulin pumps, and other medical devices have steadily increased over the past decade. Many patients, doctors, and security experts downplay the threat such weaknesses pose, in large part because attackers must be within 50 feet of a patient. People downplaying the risk also say attackers have little motivation to expend so much work, short of sensational plot lines portrayed in the TV series Homeland.

Other security experts, however, point to the growing scourge of ransomware, which threatens victims with sometimes catastrophic data loss unless they pay hefty fees to obtain decryption keys that unlock their encrypted files. Matt Green, a Johns Hopkins University professor specializing in cryptography, is among the people arguing the threat is real.

At the moment, using passwords or similar authentication methods to ensure only authorized people can take remote control of medical devices is problematic. One complication: during medical emergencies, doctors often require immediate access to devices. If a patient is unable to reveal the credentials and hospital staff can't immediately contact the patient's doctor, the security could delay urgent treatment. One potential solution proposed by researchers is a wearable healthcare device that uses the patient's unique physiological signatures to prevent tampering by malicious hackers.

The critical firmware flaws came to light last year in an advisory that was sponsored by an investment that was betting against the stock of St. Jude, which was formally acquired by Abbott Laboratories in January. In the two days following the disclosure by investment firm Muddy Waters, St. Jude's stock price fell 12 percent. At the time, St. Jude issued a statement saying the Muddy Waters report was "false and misleading."

As controversial as it is to tie a critical vulnerability disclosure to a stock-shorting strategy, the move may also have given the report additional visibility in the board rooms of St. Jude and Abbott Laboratories. All too often, security gets little attention unless it's tied directly to a company's financial performance.

Post updated to add third-to-last paragraph.

Channel Ars Technica