FDA Issues Recall of 465,000 St. Jude Pacemakers To Patch Security Holes (zdnet.com) 73
In what may be a first, patients with heart conditions that are using particular pacemaker brands will have to visit their doctors for firmware updates to keep their embedded devices safe from tampering. From a report: It seems such an odd concept at first, but with many kinds of pacemakers now "smarter," with connections to mobile devices and diagnostic systems, the avenue has been carved for these medical devices to potentially be tampered with, should a threat actor choose. In particular, Abbott's pacemakers, formerly of St. Jude Medical, have been "recalled" by the US Food and Drug Administration (FDA) on a voluntary basis. The devices must be given a firmware update to protect them against a set of critical vulnerabilities, first reported by MedSec, which could drain pacemaker battery life, allow attackers to change programmed settings, or even change the beats and rhythm of the device. On Tuesday, the FDA issued a security advisory, warning that the pacemakers must be recalled -- and as they are embedded within the chests of their users, this requires a home visit or trip to the hospital to have the software patch applied.
Re: (Score:1)
Re: (Score:3)
Re: (Score:1)
Coroner's Note: He appears to have had his pacemaker beat changed and his heart wasn't funky enough to take it.
Re: (Score:2)
However, he was still able to get down. I'd dare say he couldn't help himself. HNNNGGGGG!!!
What do the patients do (Score:2)
while their device is rebooting?
Re:What do the patients do (Score:5, Informative)
Pacemakers are there to correct a bad or weak rhythm. They don't do the actual work of pumping blood.
Also, it's possible to hook up an external pacemaker while the implanted one is being reflashed.
Re: (Score:2)
Also, it's possible to hook up an external pacemaker while the implanted one is being reflashed.
I hope it's the case, cause having 465,000 pacemakers to reflash, you know... ever heard of Murphy's law? [wikipedia.org] The patient better be in a good mood during the firmware update.
CAN YOU SWIM?! (Score:3)
Re: (Score:2)
And in many cases, as long as the patient is lying down comfortably, they will be fine with their own heart rhythm for a few minutes.
Re: (Score:2)
Why would that make her heart rate go up?
Re: (Score:2)
The only person I've known with a pacemaker was a girl who's heart rate would go astronomically high for no apparent reason. It only happened a few times a week and the pacemaker would kick in and bring it back down.
Other than during those events, the pacemaker didn't do anything.
That's not a pace maker. That is defibrillator. Don't be confused. Pace maker is to accelerate heart beat from too slow to normal. Defibrillator, on the other hand, is to slow down the heart beat from abnormal to normal range.
Re: (Score:2)
Generally, the refractory period won't change much from overdrive pacing the atrium. And not all are from re-entry circuits. What is happening is the stimulus from ATP conducts down a pathway while it conducts from the opposite direction, ergo obliterating the propagation and stopping the circuit. It doesn't always work and sometimes a shock is necessary if the device is configured to do so.
Re: (Score:2)
Right and that is a property of the AV node, which involved in AVNRT but not atrial flutter.
Re: (Score:2)
Some pacemakers -can- overdrive pace patients out of tachy rhythms. I think Medtronic is rolling this out in more pacers after favorable data in a trial of overdrive pacing while charging defibrillators (ICDs) - saved patients a bunch of shocks. Doesn't always work, however, and depends on the mechanism of the rhythm.
Re: (Score:2)
Last I heard, defibrillators restarted the heart on a new cycle.
Re: (Score:1)
They'll probably be praying that the damn thing will come back up again and not get bricked by a failed update.
Re: (Score:2)
They'll probably be praying [...]
I don't see how a prayer will save anything, let alone a pacemaker firmware update.
Re: (Score:2)
Congregate in the aisles and complain about management like the rest of us?
Re: (Score:1)
Is there a punchline you forgot to add, or am I just missing the sarcasm?
Is this why St Jude calls me every day? (Score:1)
For the last five years!
You know, it occurs to me that the entire plot.... (Score:4, Interesting)
Of course, this could be circumvented by the (surgical) removal of such a device, which could itself have been the plot point of a different kind of story.
Re: (Score:2)
With all the shitty remakes of films recently, I can't believe they haven't done one for Logans Run.
Having seen how studios treat awesome classics of late when they try to crucif^M remake them?
You can shut your damn mouth now and not give the studios any more ideas. :/
Regards,
Someone who has also had more than quite enough of the whole "gritty reboot" treatment.
Re: (Score:2)
What's not to believe? [deadline.com]
Re: (Score:2)
You know, it occurs to me that the entire plot of Logan's Run (caution.... spoilers follow)....
Really?! Spoilers on the internet already?! It was just release to theaters two score and one year ago!
Re: (Score:2)
Hey, I've been chewed out before just for saying stuff online about Star Wars a New Hope. My point was to offer a disclaimer in the hopes of avoiding that.
I can't win.
Re: (Score:2)
I can't win.
Welcome to the internet.
Robocop (Score:2)
This is like something from the original Robocop movie [youtube.com].
A similar kind of messed-up.
"and remember... we care!"
Re: (Score:2)
If you have a weak, defective heart that cannot maintain its own rhythm and subsequently allow a doctor to implant a hackable pacemaker into your chest, and then allow someone to get near enough to hack it, well my friend, it's time for you to go. Good day, sir.
It is a problem that with the US medical system, the patient has no choice of treatment except a Hobson's choice. The doctors have far too much power. Even if you said you would want a device not running any software, a surgeon or insurance company would never let the patient decide.
Re: (Score:2)
That's BS. If you don't want a pacemaker then it is your decision not to get one.
Exactly as I said, it's a Hobson's choice.
Re: (Score:2)
In what way do the doctors have too much power? They've got more knowledge and expertise than the rest of us, so they typically offer what treatments they think good, and the patient decides how to proceed among available options. You seem to think the options too limited, and seem to blame the doctors for not keeping obsolescent devices around.
Re: (Score:1)
Do you really think the doctor is going to know whether the device can be hacked? They all have some sort of communication protocol. My ICD is a older model. I have been able to communicate with it at distances up to ten feet. With a little antenna tweaking I hope to get the distance up to ten meters, then more... They are ALL designed for remote communications. All I am doing is changing the definition of the word 'remote'.
Re: (Score:2)
When software runs a device that you literally depend on to live you have a right to it's source code.
If you are going to stand on principle, why not go for "When you need a device to live, you have a right to the device"? Having access to the source code is mostly meaningless, and far less consequential than having access to the actual device.
Hacker=Threat Actor? (Score:5, Funny)
Why is this necessary? (Score:2)
Re: (Score:2)
You know, if you'd even think about launching a denial-of-service attack on a pacemaker, you're kind of an asshole, as well as a homicidal maniac!
*Shrug*. What about folks who think about running rental vans into crowds of innocent pedestrians, and following up with machete attacks . . . ?
Our Western Civilization is very tolerant of assholes . . . and those who support their doctrines in words and deeds.
That's why it is necessary. I remember that when I was in elementary school, we didn't even have to lock our bikes. By the time I was in high school, you needed an elephant shackle. It's like an Law of Thermodynamics entropy decline where "assho
Should have included 3g for remote administration (Score:5, Insightful)
Re: (Score:1)
Not only that, you can also make sure your customers pay their bills! [slashdot.org]
Re: (Score:2)
This is what happens when you try to save a few cents on the bill of materials and don't include a 3g radio for remote administration.
I hope you are joking.
A) A 3g radio would take a LOT of power compared to the rest of the unit.
B) That would be one hell of a security hole! Cell networks are NOT secure. Baseband modems are NOT secure. A DoS attack alone could drain the battery in minutes!
This is on par with tying a rope around your neck and attaching the other side to your car seat so that you don't get whiplash. It does solve the whiplash problem but you're still retarded for doing it.
Re: (Score:2)
It's definitely a joke. And even funnier, because of using cellular data operating in the microwave band - which people with pacemakers are already avoiding (at this close of a range, at least).
Re: (Score:2)
Protip: read right to the end before replying.
Not so easy to infiltrate (Score:1)
Wife has difibulator/ pacemaker. To do any programming you have a antenna placed over device to interrogate it. Any further then a few inches and you loose signal. Yes, anything is possible but clearly unless someone jumps you and proceeds to hack your device. I think most people are pretty safe. Also the Saint Jude devices like my wife’s cannot be reprogrammed over remote connection. Only recover events and errors.
Re: (Score:2)
Yes, but even the slightest whiff of potential lawsuits for "enabling a real Internet kill switch" has the manufacturers of such devices running scared.
There are going to be damn sure that their devices are hardened now. Hell, you could build a portable microwave pacemaker fryer if you want. And given the trend of things these days, someone will do it for shits & giggles. But the pacemaker manufacturer can't be held liable for that.
Re: (Score:2)
Hell, you could build a portable microwave pacemaker fryer if you want. And given the trend of things these days, someone will do it for shits & giggles.
I doubt you would be able to elicit giggles with such a device. The other one, probably.
Hacking hearing aids for the lulz is also coming, I'm sure. And electric wheelchairs.
Re: (Score:2)
Keep in mind, bluetooth is a short range signal as well, but with a specialized antenna, 100 meters or more is possible. Also keep in mind that if the device is programmable at all, an exploit could allow re-programming even if remote connections are supposed to be read-only.
New market (Score:2)
Definitely don't want to brick that upgrade. (Score:1)
But if you do brick it, for the RMA, do you send the whole human back with the pacemaker, or do you extract the pacemaker so you can save on shipping?
Re: (Score:2)
Sure uninstallation typically produces significant damage at the "installation site" (er human being) but that's not the manufacturers problem.
Null (Score:2)