These holes were discovered by MedSec. In September 2016, Abbott sued MedSEc and security company Muddy Waters, accusing the two companies of deliberately stirring up gaps in pacemakers. These vulnerabilities are detailed here http://d.muddywatersresearch.com/wp-content/uploads/2016/08/MW_STJ_08252016_2.pdf and have been fixed in 1/2017.
The current vulnerabilities found by MedSec were fixed at the time, but the US Food and Drug Administration yesterday approved the patch to release it to the public.
FDA and Abbott encourage patients to see a doctor if they are using a brand device and if necessary, update it immediately. Abbott gave instructions to both doctors https://www.sjm.com/~/media/galaxy/hcp/resources-reimbursement/technical-resources/product-adviseries-archive/cybersecurity-pacemaker-firmware/pacemaker- firmware-update-doctor-letter-aug2017-us.pdf? la and patients. https://www.sjm.com/~/media/galaxy/patients/heart-vascular/arrhythmias/resources-support/cybersecurity/pacemaker-firmware-update-patient-guide-aug2017.pdf?la=en According to FDA, The following pacemakers are affected:
Abbott estimates it will take about 3 minutes to install the update. The worst scenarios can be:
Abbott, US CERT and FDA said that no attackers have exploited the vulnerabilities that MedSec found. According to FDA data, about 465,000 pacemakers across the United States are affected by these vulnerabilities.