Nearly half a million pacemakers are vulnerable to hacks that could be fatal for the device’s user, the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said Tuesday.
The exploits, which affect several pacemakers built by Abbott Laboratories, allow an attacker to issue commands to the device after compromising its authentication algorithm.
“Successful exploitation of these vulnerabilities may allow a nearby attacker to gain unauthorized access to a pacemaker and issue commands, change settings, or otherwise interfere with the intended function of the pacemaker,” an ICS-CERT advisory said.
Although the hack would require a highly-skilled attacker using radio frequency (RF) communications within inches of a victim, the Food and Drug Administration (FDA) Tuesday issued a security update for the more than 465,000 devices currently in use inside the United States.
The vulnerable pacemakers and CRT-P devices from Abbott Laboratories, formerly known as St. Jude Medical, include the Accent, Anthem, Accent MRI, Accent ST, Assurity and Allure.
Applied to the device’s firmware, the update “requires an in-person patient visit with a health care provider.”
“The update process will take approximately 3 minutes to complete,” the FDA said. “During this time, the device will operate in backup mode (pacing at 67 beats per minute), and essential, life-sustaining features will remain available. At the completion of the update, the device will return to its pre-update settings.”
The FDA argued that despite the small risk associated with internet-connected devices, technological advancements in medical devices “also often offer safer, more efficient, convenient, and timely health care delivery.”
Abbott Laboratories previously recalled 400,000 heart devices in 2016 after a battery issue resulted in two deaths in Europe.