FDA recalls 465,000 pacemakers open to cyber attack
1.9.2017 securityaffairs Cyber

The United States Federal Drug Administration (FDA) is recalling 465,000 pacemakers that could be hacked by attackers.
The Food and Drug Administration (FDA) is recalling roughly half a million pacemakers because they are vulnerable to hacking, million people in the United States urge to get their pacemakers updated.

In May, researchers from security firm White Scope analyzed seven pacemaker models commercialized by four different manufacturers and discovered that medical devices could be hacked with “commercially available” equipment that goes between $15 to $3,000.

The FDA has recalled 465,000 pacemakers after discovering security vulnerabilities that could be exploited by hackers to reprogram the medical devices to run the batteries down or in a terrifying hacking scenario to modify the patient’s heartbeat.

The good news is that there are no reports of hacked pacemakers yet.

The affected devices belong to six types of pacemakers manufactured by firm Abbott, they include the Accent, Anthem, Accent MRI, Accent ST, Assurity, and Allure.

In the U.S., an updated version of the firmware is available for Accent SR RF, Accent MRI, Assurity, Assurity MRI, Accent DR RF, Anthem RF, Allure RF, Allure Quadra RF, and Quadra Allure MP RF.

Pacemakers installed abroad includes Accent SR RF, Accent ST, Accent MRI, Accent ST MRI, Assurity, Assurity +, Assurity MRI, Accent DR RF, Anthem RF, Allure RF, Allure Quadra RF, Quadra Allure MP RF, Quadra Allure, and Quadra Allure MP.

The companies developed a firmware update that force authentication the to connect the devices.

The devices were manufactured before August 28th.

“Many medical devices—including St. Jude Medical’s implantable cardiac pacemakers—contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits,” reads the FDA security advisory.

“As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates.”

pacemakers
Fortunately, the firmware running on the affected pacemakers could be updated without removing them from the patients.

Patients have to go to their healthcare provider to receive a firmware update, an operation that is very simple that would take just 3 minutes.
The update also includes further operating system fixes, encryption, operating system fixes, and also the ability to disable network connectivity features.

“The new pacemaker firmware update is part of Abbott’s planned enhancements that began with updates announced in January 2017 to the Merlin@home™ v8.2.2 software. The new updates provide an additional layer of security against unauthorized access to these devices.” reads the Abbott’s press release.

“The update contains a software release that includes data encryption, operating system patches, and the ability to disable network connectively features, in addition to the firmware update.”

“Every pacemaker manufactured beginning Aug. 28, 2017, will have this update pre-loaded in the device and those devices will not need to be updated.”