Pacemaker? Check your firmware! Recall Alert
If you or a loved one has a pacemaker, you need to read this. On August 29, 2017, the FDA issued a recall for Abbott’s (formerly St. Jude Medical’s) Implantable Cardiac Pacemakers. The recall notice seemed to indicate that a hacker could cause great harm to a patient and possible even cause death –
“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient’s physician) to access a patient’s device using commercially available equipment. This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.”
If you have one of these devices, or know someone who does, seek assistance from your medical provider.
More information is available at https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm
For those wishing to see some of the details of several of the previous vulnerabilities the following provides an interesting read, https://medsec.com/stj_expert_witness_report.pdf
Details of the new vulnerabilities are available at
Excerpt of the security bulletin from AUSCert - "VULNERABILITY OVERVIEW IMPROPER AUTHENTICATION The pacemaker's authentication algorithm, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications. CVE-2017-12712 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). IMPROPER RESTRICTION OF POWER CONSUMPTION The pacemakers do not restrict or limit the number of correctly formatted RF wake-up commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life. CVE-2017-12714 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). MISSING ENCRYPTION OF SENSITIVE DATA The Accent and Anthem pacemakers transmit unencrypted patient information via RF communications to programmers and home monitoring units. The Assurity and Allure pacemakers do not contain this vulnerability. Additionally, the Accent and Anthem pacemakers store the optional patient information without encryption; however, the Assurity and Allure pacemakers encrypt stored patient information. CVE-2017-12716 has been assigned to this vulnerability. A CVSS v3 base score of 3.1 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). VULNERABILITY DETAILS EXPLOITABILITY These vulnerabilities could be exploited via an adjacent network. Exploitability is dependent on an attacker being sufficiently close to the target pacemaker as to allow RF communications. EXISTENCE OF EXPLOIT Exploitation of vulnerabilities has been publicly demonstrated; however, exploit code is not publicly available. DIFFICULTY An attacker with high skill would be able to exploit these vulnerabilities."