When Vice President Dick Cheney asked his cardiologist to replace his WiFi-connected pacemaker with one without internet capability in 2007, assassination through medical device hacking seemed far-fetched. But this week, the U.S. Food and Drug Administration announced that almost half a million pacemakers made by Abbott are vulnerable to hackers.
The FDA announced on Wednesday that patients with the Abbott (formerly St. Jude Medical) radio frequency-enabled implantable pacemaker should update the software to patch a security vulnerability in the device's older software. The FDA says it did not receive any reports of pacemakers being compromised, but the agency says a targeted attack is possible. The FDA says the recall affects 465,000 Abbott devices.
The FDA says patients do not need to get a new pacemaker, but patients with the device should go to their doctor to update the device's firmware (a type of software inside the device). It's an easy fix that only takes three minutes and does not require surgery, the FDA says. A doctor would need to put the device in backup mode and update the software.
According to the FDA, the Department of Homeland Security told the agency that compromising the security of Abbott devices would require "a highly complex attack." An attacker would need to be very close to the victim, but the older software would allow an attacker to gain access to the device and send commands through radio frequency (RF) transmissions. The commands could range from turning the device off to increasing the pace frequency.
As with any firmware update, there is a small risk--0.003 percent--that the device will lose functionality. The FDA suggests patients get the device updated in a facility that could respond to a broken pacemaker.
Last year, when the company was known as St. Jude Medical, cyber firm MedSec reported that the pacemakers were vulnerable to hackers.
Last fall, Johnson & Johnson issued a warning about its insulin pump being vulnerable to cyber attacks, too. The trend in medical devices connected to the internet has opened the door to hackers being able to threaten victim's lives, Ed Cabrera, chief cybersecurity officer at the threat research firm Trend Micro, tells Wired.
"The entire extortion landscape has changed," Cabrera said. "You do get into this life or death situation potentially."