Cleaning up a mess is never fun. Cleaning up an inherited mess is worse, and that's the position in which Abbott Labs finds itself after a harsh letter of warning from the US FDA.
At issue are the pacemakers and internal defibrillators sold by St. Jude Medical before the company was acquired by Abbott Labs in January 2017. According to the FDA's Warning Letter, St. Jude Medical (now Abbott Labs) has failed to correct previously noted problems in the battery and cybersecurity vulnerabilities in both pacemakers and internal defibrillators. The letter, dated April 12, noted that the company has failed to either correct the problems or implement procedures to insure that they do not recur. In addition, the letter cites Abbott labs for selling a small number of units already under a recall order.
In January, the FDA confirmed that the St. Jude Medical devices contained software with vulnerabilities that could allow an unauthorized third party to gain control of the pacemaker or defibrillator and quickly run down the battery or deliver a series of shocks at the wrong time. At the time, St. Jude said that it had developed a software patch that could be automatically applied to devices through the Merlin@home transmitter each patient uses with the devices. Abbott Labs also said that it was working with both the FDA and DHS to improve device security.
The original vulnerability report, published by investment firm Muddy Waters Research and based on "ethical hacking" from MedSec, was controversial because Muddy Waters released the information, which described vulnerability to man-in-the-middle attacks in the implantable devices, in a statement regarding stock sales and purchases rather than in a private message to either St. Jude Medical or the FDA.
The latest FDA warning letter indicates that Abbott Labs has not dealt with the problem to the satisfaction of the FDA. On a larger scale, this is the sort of IoT security issue that many experts have warned about: critical components containing serious vulnerabilities deployed in difficult-to-update scenarios. Companies that sell IoT systems, as well as those that are their customers, are likely to be watching the interaction of Abbott Labs and the FDA to see how future IoT vulnerabilities will be dealt with by regulators and industry.
— Curtis Franklin, Security Editor, Light Reading