350,000 cardiac devices need a security patch

The US Food and Drug Administration (FDA) last month approved a firmware patch for devices made by Abbott’s (formerly St Jude Medical) that are vulnerable to cybersecurity attacks and which are at risk of sudden battery loss.
Some 350,000 patients are affected. The FDA is recommending that all eligible patients get the firmware update “at their next regularly scheduled visit or when appropriate depending on the preferences of the patient and physician.”
The cybersecurity vulnerabilities were found in Abbott’s radio frequency- (RF-) enabled implantable cardioverter defibrillators (ICDs) and cardiac resynchronization therapy defibrillators (CRT-Ds).
The latest update is actually a continuation of the same effort Abbott undertook in August 2017 for its pacemakers and remote monitoring systems. The cybersecurity and battery performance updates issued in August are now FDA-approved and available for implantable defibrillators.
The issues with St Jude Medical’s devices have been playing out for a while. In September 2016, the company sued Internet of Things (IoT) security firm MedSec for defamation after it published what St Jude said was bogus information about bugs in its equipment.
In January 2017, five months after the FDA and the Department of Homeland Security (DHS) launched probes into claims that St Jude Medical’s pacemakers and cardiac monitoring technology were vulnerable to potentially life-threatening hacks, security consultants at Bishop Fox confirmed the validity of MedSec’s findings. The company begrudgingly stopped fighting and litigating and issued security fixes.
The January updates were for the Merlin remote monitoring system, which is used with implantable pacemakers and defibrillator devices.

At the time, cryptographic expert Matthew Green, an assistant professor at Johns Hopkins University, described the pacemaker vulnerability scenario as the fuel of nightmares.
He put out a series of tweets on the matter, including these messages:

The summary of the problem is that critical commands: shocks, device firmware updates etc. should only come from hospital programmer 5/
Unfortunately SJM didn’t use strong authentication. Result: any device that knows the protocol (including home devices) can send these 6/
And worse, they can send these (potentially dangerous) commands via RF from a distance. Leaving no trace. 7/

Specifically, the devices use 24-bit RSA authentication, he said: “No, that’s not a typo.” Beyond the weak authentication, St Jude also included a hard-coded 3-byte fixed override code, Green said.

I’m crying now.

To date, there have been no known reports of patients being harmed due to security vulnerabilities, either in the Merlin systems or in the ICDs and CRT-Ds covered in the most recent security advisory. Here’s the list of those devices:

• Current
• Promote
• Fortify
• Fortify Assura
• Quadra Assura
• Quadra Assura MP
• Unify
• Unify Assura
• Unify Quadra
• Promote Quadra
• Ellipse

Fortunately, the update doesn’t entail open-heart surgery, though it does require an in-person trip to a healthcare provider’s office. It can’t be done from home via Merlin.net. The firmware update takes three minutes, during which the device will operate in backup mode, pacing at 67 beats per minute.
Abbott said that with any firmware update, there’s always a “very low” risk of an update glitch. Based on the company’s previous firmware update experience from an August 2017 pacemaker firmware release and the similarities in the update process, Abbott said that installing the updated firmware on the ICDs and CRT-Ds could potentially result in the following malfunctions:

• Discomfort due to backup VVI pacing settings
• Reloading of the previous firmware version due to an incomplete update
• Inability to treat ventricular tachycardia/fibrillation while in back-up mode
• Device remaining in back-up mode due to an unsuccessful update
• Loss of currently programmed device settings or diagnostic data

The FDA said that nothing bad happened to patients in that August 2017 firmware update. About 0.62% of the devices experienced an incomplete update and remained in the back-up pacing mode, but in all of those cases, the devices were restored to the prior firmware version or received the update successfully after Technical Services intervened.
The FDA says that an update to the programmer should reduce the frequency of these minor update issues. Also, a small percentage (0.14%) of patients complained of diaphragmatic or pocket stimulation, or general discomfort for the time that the device was in the back-up pacing mode. There haven’t been any cases reported to Abbott where the device remained in back-up mode following an attempted firmware update.
UPDATE: 8 May 2018. This story was updated to correct the number of devices affected and the fact that this update was for implantable defibrillators.