Pacemaker? Check your firmware! Recall Alert

thezootsewt/ September 4, 2017/ Healthcare/ 0 comments

If you or a loved one has a pacemaker, you need to read this.  On August 29, 2017, the FDA issued a recall for Abbott’s (formerly St. Jude Medical’s) Implantable Cardiac Pacemakers.  The recall notice seemed to indicate that a hacker could cause great harm to a patient and possible even cause death –

“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient’s physician) to access a patient’s device using commercially available equipment. This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.”

If you have one of these devices, or know someone who does, seek assistance from your medical provider.

More information is available at https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm

For those wishing to see some of the details of several of the previous vulnerabilities the following provides an interesting read, https://medsec.com/stj_expert_witness_report.pdf  

Details of the new vulnerabilities are available at

CVE-2017-12712

CVE-2017-12714

CVE-2017-12716

Excerpt of the security bulletin from AUSCert - 

"VULNERABILITY OVERVIEW

IMPROPER AUTHENTICATION

The pacemaker's authentication algorithm, which involves an authentication key
and time stamp, can be compromised or bypassed, which may allow a nearby 
attacker to issue unauthorized commands to the pacemaker via RF 
communications.

CVE-2017-12712 has been assigned to this vulnerability. A CVSS v3 base 
score of 7.5 has been assigned; the CVSS vector string is 
(AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

IMPROPER RESTRICTION OF POWER CONSUMPTION

The pacemakers do not restrict or limit the number of correctly formatted RF 
wake-up commands that can be received, which may allow a nearby attacker to 
repeatedly send commands to reduce pacemaker battery life.

CVE-2017-12714 has been assigned to this vulnerability. A CVSS v3 base 
score of 5.3 has been assigned; the CVSS vector string is 
(AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

MISSING ENCRYPTION OF SENSITIVE DATA

The Accent and Anthem pacemakers transmit unencrypted patient information via
RF communications to programmers and home monitoring units. The Assurity and 
Allure pacemakers do not contain this vulnerability. Additionally, the Accent
and Anthem pacemakers store the optional patient information without 
encryption; however, the Assurity and Allure pacemakers encrypt stored patient
information.

CVE-2017-12716 has been assigned to this vulnerability. A CVSS v3 base 
score of 3.1 has been assigned; the CVSS vector string is 
(AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

VULNERABILITY DETAILS

EXPLOITABILITY

These vulnerabilities could be exploited via an adjacent network. 
Exploitability is dependent on an attacker being sufficiently close to the 
target pacemaker as to allow RF communications.

EXISTENCE OF EXPLOIT

Exploitation of vulnerabilities has been publicly demonstrated; however, 
exploit code is not publicly available.

DIFFICULTY

An attacker with high skill would be able to exploit these vulnerabilities."

Leave a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>
*
*