The US Food and Drug Administration announced today that 465,000 pacemakers have a security vulnerability that could be exploited to make the device operate too quickly or deplete its batteries, and these devices need firmware updates to keep them from getting hacked.
The vulnerability affects devices made by Abbott’s (formerly St. Jude Medical’s) that are radio frequency-enabled. Fortunately, the Department of Homeland Security says that an attacker would need to be nearby a person with a pacemaker in order to exploit the vulnerability.
There haven’t been any reports of the vulnerability being exploited in the wild, according to the FDA. DHS also notes that the exploit code is not publicly available, so there’s not much risk of a random hacker stumbling across it. “An attacker with high skill would be able to exploit these vulnerabilities,” DHS said.
Still, even though there’s not a ton of risk of having your pacemaker hacked in public, the FDA recommends that patients with the device make an appointment with their doctors to get the firmware update.
“These vulnerabilities, if exploited, could allow an unauthorised user (i.e. someone other than the patient’s physician) to access a patient’s device using commercially available equipment. This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing,” the FDA warned.
Update: Gizmodo Australia received this statement from Abbott:
Abbott continues to work closely with TGA (Therapeutic Goods Administration) and has updated the agency on the developments. TGA has assessed the cybersecurity update, and has classified it as a safety alert and not as a recall. Abbott is engaging with customers and informing them of the updates per guidance from the TGA.