Welcome to 2017: Patients using pacemakers should see a doctor soon to be 'patched'.

Patients use Abbott's pacemakers - formerly called St. Jude Medical - is recommended to have a medical examination to update the security of implanted medical devices.

Security updates will fix three security holes MedSec Holdings Ltd. discovered last year. Details of these errors are included in the warning issued by the CERT (US Computer Emergency Response Center) of the Department of Homeland Security.https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01

It is not easy to exploit the vulnerability

CERT said that these vulnerabilities allow an attacker to interfere with the device and issue commands, change settings or interfere with the device's functionality.

The consequences are terrible but US CERT also said that it is not easy to attack because there is no exploit code for attackers to create their own attack package. Exploitation also needs high skills that few people have. Moreover, the attacker must be fairly close (several centimeters) of the object to be able to communicate using radio waves.

Welcome to 2017: Patients using pacemakers should see a doctor soon to be 'patched'. Picture 1
Patients using pacemakers are advised to see a doctor

These holes were discovered by MedSec. In September 2016, Abbott sued MedSEc and security company Muddy Waters, accusing the two companies of deliberately stirring up gaps in pacemakers. These vulnerabilities are detailed here http://d.muddywatersresearch.com/wp-content/uploads/2016/08/MW_STJ_08252016_2.pdf and have been fixed in 1/2017.

The current vulnerabilities found by MedSec were fixed at the time, but the US Food and Drug Administration yesterday approved the patch to release it to the public.

Patients should see a doctor as soon as possible

FDA and Abbott encourage patients to see a doctor if they are using a brand device and if necessary, update it immediately. Abbott gave instructions to both doctors https://www.sjm.com/~/media/galaxy/hcp/resources-reimbursement/technical-resources/product-adviseries-archive/cybersecurity-pacemaker-firmware/pacemaker- firmware-update-doctor-letter-aug2017-us.pdf? la and patients. https://www.sjm.com/~/media/galaxy/patients/heart-vascular/arrhythmias/resources-support/cybersecurity/pacemaker-firmware-update-patient-guide-aug2017.pdf?la=en According to FDA, The following pacemakers are affected:

1. Accent
2. Anthem
3. Accent MRI
4. Accent ST
5. Assurity
6. Allure

Abbott estimates it will take about 3 minutes to install the update. The worst scenarios can be:

1. Reload the previous firmware version due to missing update (0.161%).
2. Lost programmed settings on device (0.023%).
3. Complete loss of device functionality (0.003%).
4. Loss of diagnostic data (not reported).

Abbott, US CERT and FDA said that no attackers have exploited the vulnerabilities that MedSec found. According to FDA data, about 465,000 pacemakers across the United States are affected by these vulnerabilities.