Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
8/30/2017
08:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

St. Jude Pacemaker Gets Firmware Update 'Intended as a Recall'

The devices that were the subject of a vulnerability disclosure debate last summer now have an FDA-approved fix.

Abbott Laboratories, the new owner of St. Jude Medical (STM), has issued a firmware update for STM pacemaker devices that addresses vulnerabilities exposed one year ago by security research firm MedSec.  

As the US Food & Drug Administration (FDA) stated in a safety communication Tuesday, the FDA approved last week "a firmware update that is now available and is intended as a recall, specifically a corrective action, to reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities for certain Abbott (formerly St. Jude Medical) pacemakers." 

The fix is largely to shore up weak RF protocol security that left RF-enabled pacemakers vulnerable to remote unauthorized access. According to Abbott, the firmware update is part of a software release for the [email protected] monitoring device that also includes "data encryption, operating system patches, and disabling network connectivity features." As of Monday, all new devices manufactured will have the new firmware installed already.

This is not exactly a call for emergency rips-and-replaces of all patients' pacemakers, though. According to the FDA safety communication Tuesday, "The FDA and Abbott do NOT recommend prophylactic removal and replacement of affected devices."

Patients must visit their healthcare provider in person to receive the firmware update. Abbott Laboratories advises healthcare providers discuss the potential risks with patients first — both the security risks of attackers exploiting vulnerable firmware and potential complications that could be caused during the firmware update process.

The advisory cites these rates of malfunctioning during the process:

  • "reloading of previous firmware version due to incomplete update (0.161%)
  • loss of currently programmed device settings (0.023%),
  • complete loss of device functionality (0.003%),
  • and loss of diagnostic data (not reported)."

Roughly 465,000 devices are affected by this firmware update, according to the FDA. Joshua Corman, director of the Atlantic Council's Cyber Statecraft Initiative and member of the US Department of Health and Human Service's Health Care Industry Cybersecurity Task Force, took to Twitter to show how those malfunction rates could look in human numbers:   

"[Tuesday's] safety communication is part of the FDA's ongoing work with Abbott to ensure they are properly addressing identified cybersecurity risks and adequately protecting their devices against potential future cybersecurity vulnerabilities," said William Maisel, acting director of the Office of Device Evaluation and chief scientist in the FDA's Center for Devices and Radiological Health, in a statement. "Because all networked medical devices are potentially vulnerable to cybersecurity threats, the FDA has been working diligently with device manufacturers and other stakeholders to ensure the benefits of medical devices to patients continue to outweigh any potential cybersecurity risks."

"Earlier in the year, the FDA acknowledged that there were real vulnerabilities in the devices but didn't recommend doing anything because there was no firmware fix and the device benefits far outweighed swapping the device for something more secure," says Veracode CTO Chris Wysopal. "Now that there is a fix from the manufacturer, they are recommending a firmware update on the patient's next visit to their doctor.  

"What we are seeing," says Wysopal, "is the same type of risk calculus around safety that goes into a motor vehicle recall being used in a medical device recall. If there was a more serious risk to the medical device, we might see the FDA advising patients to immediately visit their doctor. This situation shows with IoT safety and security are becoming synonymous in many cases."

The product recall is a tangible result one year after MedSec chose a controversial method of vulnerability disclosure. Rather than full public disclosure or cooperative disclosure, MedSec partnered with Muddy Waters to release only part of the vulnerability information and then short-sell St. Jude Medical, allowing them to profit off a drop in the manufacturer's stock. (MedSec CEO Justine Bone has since said she thought it was the right move but would not plan to do it again.)

There was debate about whether MedSec's decision had been wise both ethically and strategically. Had it released too much information, or not enough? Would other medical device manufacturers be scared into improving security after this example, or would the event simply jeopardize trusted relationships built with other security researchers? Would this create an entirely new, expensive trend in vulnerability disclosure? MedSec said St. Jude put profits over patients, but critics thought MedSec had done the same itself.

One year later, the questions remain. The vulnerability now has an FDA-approved fix, but that might also have been the case if MedSec had gone through the FDA to begin with last summer.

"Consumers are just waking up to the fact that medical devices can get recalls," says Wysopal, who recently co-presented a session with Bone at Black Hat USA 2017 about using the market to create better security. "This Abbott event will cause medical device manufacturers to get ahead of security problems and put more effort into designing and testing their products to be free from security issues. This is the market working. It is unfortunate that patients have to be at risk before many businesses learn this lesson."

Related Content:

 

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Duncan Jones
50%
50%
Duncan Jones,
User Rank: Author
8/31/2017 | 3:05:14 AM
If you think it's bad now...
Things will get even more interested in a post-quantum world, where we could see attacks on individuals who otherwise believed they had secure medical implants. Devices are being inserted now that won't see the light of day again for 15-20 years. I'd be amazed if they are being designed with the security challenges of two decades hence in mind.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
9/5/2017 | 3:06:12 PM
Unsettling
This writer has an implanted BOSTON SCIENTIFIC Defibulator - wireless access point at home to report data to Emory Hospital.  This particularly strikes home for me.  Vast implications in some ways. 
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.
CVE-2019-6659
PUBLISHED: 2019-11-15
On version 14.0.0-14.1.0.1, BIG-IP virtual servers with TLSv1.3 enabled may experience a denial of service due to undisclosed incoming messages.