Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Medicine Security Technology

FDA Issues Recall of 465,000 St. Jude Pacemakers To Patch Security Holes (zdnet.com) 73

In what may be a first, patients with heart conditions that are using particular pacemaker brands will have to visit their doctors for firmware updates to keep their embedded devices safe from tampering. From a report: It seems such an odd concept at first, but with many kinds of pacemakers now "smarter," with connections to mobile devices and diagnostic systems, the avenue has been carved for these medical devices to potentially be tampered with, should a threat actor choose. In particular, Abbott's pacemakers, formerly of St. Jude Medical, have been "recalled" by the US Food and Drug Administration (FDA) on a voluntary basis. The devices must be given a firmware update to protect them against a set of critical vulnerabilities, first reported by MedSec, which could drain pacemaker battery life, allow attackers to change programmed settings, or even change the beats and rhythm of the device. On Tuesday, the FDA issued a security advisory, warning that the pacemakers must be recalled -- and as they are embedded within the chests of their users, this requires a home visit or trip to the hospital to have the software patch applied.
This discussion has been archived. No new comments can be posted.

FDA Issues Recall of 465,000 St. Jude Pacemakers To Patch Security Holes

Comments Filter:
  • while their device is rebooting?

    • by Anonymous Coward on Wednesday August 30, 2017 @01:41PM (#55111613)

      Pacemakers are there to correct a bad or weak rhythm. They don't do the actual work of pumping blood.

      Also, it's possible to hook up an external pacemaker while the implanted one is being reflashed.

      • Also, it's possible to hook up an external pacemaker while the implanted one is being reflashed.

        I hope it's the case, cause having 465,000 pacemakers to reflash, you know... ever heard of Murphy's law? [wikipedia.org] The patient better be in a good mood during the firmware update.

      • by sjames ( 1099 )

        And in many cases, as long as the patient is lying down comfortably, they will be fine with their own heart rhythm for a few minutes.

    • by Anonymous Coward

      They'll probably be praying that the damn thing will come back up again and not get bricked by a failed update.

    • by Shotgun ( 30919 )

      Congregate in the aisles and complain about management like the rest of us?

  • by Anonymous Coward

    For the last five years!

  • .. of Logan's Run (caution.... spoilers follow)....

    ...could be avoided if the City just installed devices that terminated people at the requisite age if they did not participate in their ritual instead of having to maintain a police-like organization of people that hunted them down.

    Of course, this could be circumvented by the (surgical) removal of such a device, which could itself have been the plot point of a different kind of story.

    • You know, it occurs to me that the entire plot of Logan's Run (caution.... spoilers follow)....

      Really?! Spoilers on the internet already?! It was just release to theaters two score and one year ago!

      • by mark-t ( 151149 )

        Hey, I've been chewed out before just for saying stuff online about Star Wars a New Hope. My point was to offer a disclaimer in the hopes of avoiding that.

        I can't win.

  • This is like something from the original Robocop movie [youtube.com].

    A similar kind of messed-up.

    "and remember... we care!"

  • by bigdady92 ( 635263 ) on Wednesday August 30, 2017 @02:16PM (#55111847) Homepage
    Is this the new buzzword term of the week? What the hell is a Threat Actor? Tom Cruise on a bad hair day?
  • You know, if you'd even think about launching a denial-of-service attack on a pacemaker, you're kind of an asshole, as well as a homicidal maniac!
    • You know, if you'd even think about launching a denial-of-service attack on a pacemaker, you're kind of an asshole, as well as a homicidal maniac!

      *Shrug*. What about folks who think about running rental vans into crowds of innocent pedestrians, and following up with machete attacks . . . ?

      Our Western Civilization is very tolerant of assholes . . . and those who support their doctrines in words and deeds.

      That's why it is necessary. I remember that when I was in elementary school, we didn't even have to lock our bikes. By the time I was in high school, you needed an elephant shackle. It's like an Law of Thermodynamics entropy decline where "assho

  • by Ed Tice ( 3732157 ) on Wednesday August 30, 2017 @02:26PM (#55111929)
    This is what happens when you try to save a few cents on the bill of materials and don't include a 3g radio for remote administration. That way you can just push out updates when security defects are found. Plus you could collect experience data in order to improve future products. (Apologies to the humor impaired)
    • by Anonymous Coward
    • This is what happens when you try to save a few cents on the bill of materials and don't include a 3g radio for remote administration.

      I hope you are joking.

      A) A 3g radio would take a LOT of power compared to the rest of the unit.
      B) That would be one hell of a security hole! Cell networks are NOT secure. Baseband modems are NOT secure. A DoS attack alone could drain the battery in minutes!

      This is on par with tying a rope around your neck and attaching the other side to your car seat so that you don't get whiplash. It does solve the whiplash problem but you're still retarded for doing it.

      • It's definitely a joke. And even funnier, because of using cellular data operating in the microwave band - which people with pacemakers are already avoiding (at this close of a range, at least).

      • Protip: read right to the end before replying.

  • by Anonymous Coward

    Wife has difibulator/ pacemaker. To do any programming you have a antenna placed over device to interrogate it. Any further then a few inches and you loose signal. Yes, anything is possible but clearly unless someone jumps you and proceeds to hack your device. I think most people are pretty safe. Also the Saint Jude devices like my wife’s cannot be reprogrammed over remote connection. Only recover events and errors.

    • Yes, but even the slightest whiff of potential lawsuits for "enabling a real Internet kill switch" has the manufacturers of such devices running scared.

      There are going to be damn sure that their devices are hardened now. Hell, you could build a portable microwave pacemaker fryer if you want. And given the trend of things these days, someone will do it for shits & giggles. But the pacemaker manufacturer can't be held liable for that.

      • by arth1 ( 260657 )

        Hell, you could build a portable microwave pacemaker fryer if you want. And given the trend of things these days, someone will do it for shits & giggles.

        I doubt you would be able to elicit giggles with such a device. The other one, probably.
        Hacking hearing aids for the lulz is also coming, I'm sure. And electric wheelchairs.

    • by sjames ( 1099 )

      Keep in mind, bluetooth is a short range signal as well, but with a specialized antenna, 100 meters or more is possible. Also keep in mind that if the device is programmable at all, an exploit could allow re-programming even if remote connections are supposed to be read-only.

  • The internet of dead things.
  • But if you do brick it, for the RMA, do you send the whole human back with the pacemaker, or do you extract the pacemaker so you can save on shipping?

    • You'd need to uninstall the device and ship it *in the original packaging*.

      Sure uninstallation typically produces significant damage at the "installation site" (er human being) but that's not the manufacturers problem.
  • Undoing moderation.

We gave you an atomic bomb, what do you want, mermaids? -- I. I. Rabi to the Atomic Energy Commission

Working...