FDA Issues Recall of 465,000 St. Jude Pacemakers To Patch Security Holes (zdnet.com)

← Back to Stories (view on slashdot.org)

FDA Issues Recall of 465,000 St. Jude Pacemakers To Patch Security Holes (zdnet.com)

Posted by msmash on Wednesday August 30, 2017 @05:25AM from the your-worst-fear dept.

In what may be a first, patients with heart conditions that are using particular pacemaker brands will have to visit their doctors for firmware updates to keep their embedded devices safe from tampering. From a report: It seems such an odd concept at first, but with many kinds of pacemakers now "smarter," with connections to mobile devices and diagnostic systems, the avenue has been carved for these medical devices to potentially be tampered with, should a threat actor choose. In particular, Abbott's pacemakers, formerly of St. Jude Medical, have been "recalled" by the US Food and Drug Administration (FDA) on a voluntary basis. The devices must be given a firmware update to protect them against a set of critical vulnerabilities, first reported by MedSec, which could drain pacemaker battery life, allow attackers to change programmed settings, or even change the beats and rhythm of the device. On Tuesday, the FDA issued a security advisory, warning that the pacemakers must be recalled -- and as they are embedded within the chests of their users, this requires a home visit or trip to the hospital to have the software patch applied.

48 of 73 comments (clear)

Min score:

Reason:

Sort:

What do the patients do by fredrated · 2017-08-30 05:32 · Score: 1

while their device is rebooting?
1. Re:What do the patients do by Anonymous Coward · 2017-08-30 05:41 · Score: 5, Informative
  
  Pacemakers are there to correct a bad or weak rhythm. They don't do the actual work of pumping blood.
  Also, it's possible to hook up an external pacemaker while the implanted one is being reflashed.
2. Re:What do the patients do by Anonymous Coward · 2017-08-30 06:05 · Score: 1
  
  They'll probably be praying that the damn thing will come back up again and not get bricked by a failed update.
3. Re:What do the patients do by Shotgun · 2017-08-30 06:11 · Score: 1
  
  Congregate in the aisles and complain about management like the rest of us?
  
  --
  Aah, change is good. -- Rafiki
  Yeah, but it ain't easy. -- Simba
4. Re:What do the patients do by courteaudotbiz · 2017-08-30 06:50 · Score: 1
  
  Also, it's possible to hook up an external pacemaker while the implanted one is being reflashed.
  I hope it's the case, cause having 465,000 pacemakers to reflash, you know... ever heard of Murphy's law? The patient better be in a good mood during the firmware update.
5. Re:What do the patients do by sjames · 2017-08-30 07:15 · Score: 1
  
  And in many cases, as long as the patient is lying down comfortably, they will be fine with their own heart rhythm for a few minutes.
6. Re:What do the patients do by courteaudotbiz · 2017-08-30 07:35 · Score: 1
  
  They'll probably be praying [...]
  I don't see how a prayer will save anything, let alone a pacemaker firmware update.
7. Re:What do the patients do by Hognoxious · 2017-08-30 08:40 · Score: 1
  
  Why would that make her heart rate go up?
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
8. Re:What do the patients do by parkinglot777 · 2017-08-30 09:08 · Score: 1
  
  The only person I've known with a pacemaker was a girl who's heart rate would go astronomically high for no apparent reason. It only happened a few times a week and the pacemaker would kick in and bring it back down.
  Other than during those events, the pacemaker didn't do anything.
  That's not a pace maker. That is defibrillator. Don't be confused. Pace maker is to accelerate heart beat from too slow to normal. Defibrillator, on the other hand, is to slow down the heart beat from abnormal to normal range.
9. Re:What do the patients do by Chewbacon · 2017-08-30 12:48 · Score: 1
  
  Some pacemakers -can- overdrive pace patients out of tachy rhythms. I think Medtronic is rolling this out in more pacers after favorable data in a trial of overdrive pacing while charging defibrillators (ICDs) - saved patients a bunch of shocks. Doesn't always work, however, and depends on the mechanism of the rhythm.
  
  --
  Chewbacon
  The Bible is like Wikipedia: written by a bunch of people and verifiable by questionable sources.
10. Re: What do the patients do by Chewbacon · 2017-08-30 12:48 · Score: 1
  
  Generally, the refractory period won't change much from overdrive pacing the atrium. And not all are from re-entry circuits. What is happening is the stimulus from ATP conducts down a pathway while it conducts from the opposite direction, ergo obliterating the propagation and stopping the circuit. It doesn't always work and sometimes a shock is necessary if the device is configured to do so.
  
  --
  Chewbacon
  The Bible is like Wikipedia: written by a bunch of people and verifiable by questionable sources.
11. Re: What do the patients do by Chewbacon · 2017-08-31 04:36 · Score: 1
  
  Right and that is a property of the AV node, which involved in AVNRT but not atrial flutter.
  
  --
  Chewbacon
  The Bible is like Wikipedia: written by a bunch of people and verifiable by questionable sources.
12. Re:What do the patients do by david_thornley · 2017-08-31 08:01 · Score: 1
  
  Last I heard, defibrillators restarted the heart on a new cycle.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Is this why St Jude calls me every day? by Anonymous Coward · 2017-08-30 05:39 · Score: 1

For the last five years!
You know, it occurs to me that the entire plot.... by mark-t · 2017-08-30 05:41 · Score: 3, Interesting

.. of Logan's Run (caution.... spoilers follow)....
...could be avoided if the City just installed devices that terminated people at the requisite age if they did not participate in their ritual instead of having to maintain a police-like organization of people that hunted them down.
Of course, this could be circumvented by the (surgical) removal of such a device, which could itself have been the plot point of a different kind of story.

--
File under 'M' for 'Manic ranting'
Robocop by lobiusmoop · 2017-08-30 05:45 · Score: 1

This is like something from the original Robocop movie.
A similar kind of messed-up.
"and remember... we care!"

--
"I bless every day that I continue to live, for every day is pure profit."
Re:What OS do they run? by NicknameUnavailable · 2017-08-30 05:49 · Score: 1

I'd seriously doubt it were more complex than a PIC microcontroller.
Re:This can't be. by Narcocide · 2017-08-30 05:53 · Score: 1

Is there a punchline you forgot to add, or am I just missing the sarcasm?
Re:You know, it occurs to me that the entire plot. by Penguinisto · 2017-08-30 05:55 · Score: 1

With all the shitty remakes of films recently, I can't believe they haven't done one for Logans Run.
Having seen how studios treat awesome classics of late when they try to crucif^M remake them?
You can shut your damn mouth now and not give the studios any more ideas. :/
Regards,
Someone who has also had more than quite enough of the whole "gritty reboot" treatment.

--
Quo usque tandem abutere, Nimbus, patientia nostra?
Re:What OS do they run? by courteaudotbiz · 2017-08-30 05:57 · Score: 2

I think mine runs on ARGGGHHHHH....... ARGHHHHHH....... beeeeeeeeeeeeeeeeeeeeeeep
Re:You know, it occurs to me that the entire plot. by PCM2 · 2017-08-30 06:07 · Score: 1

What's not to believe?

--
Breakfast served all day!
Re:What OS do they run? by Anonymous Coward · 2017-08-30 06:15 · Score: 1

Coroner's Note: He appears to have had his pacemaker beat changed and his heart wasn't funky enough to take it.
Hacker=Threat Actor? by bigdady92 · 2017-08-30 06:16 · Score: 4, Funny

Is this the new buzzword term of the week? What the hell is a Threat Actor? Tom Cruise on a bad hair day?

--
Wheel of Time: Book by Book and Sumview (summary review) Bigdady92 style: http://bigdady92.blogspot.com/
Why is this necessary? by Locke2005 · 2017-08-30 06:21 · Score: 1

You know, if you'd even think about launching a denial-of-service attack on a pacemaker, you're kind of an asshole, as well as a homicidal maniac!

--
I've abandoned my search for truth; now I'm just looking for some useful delusions.
1. Re:Why is this necessary? by PolygamousRanchKid+ · 2017-08-30 07:01 · Score: 1
  
  You know, if you'd even think about launching a denial-of-service attack on a pacemaker, you're kind of an asshole, as well as a homicidal maniac!
  *Shrug*. What about folks who think about running rental vans into crowds of innocent pedestrians, and following up with machete attacks . . . ?
  Our Western Civilization is very tolerant of assholes . . . and those who support their doctrines in words and deeds.
  That's why it is necessary. I remember that when I was in elementary school, we didn't even have to lock our bikes. By the time I was in high school, you needed an elephant shackle. It's like an Law of Thermodynamics entropy decline where "asshole-ishness" is growing and cannot be stopped.
  
  --
  Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
Should have included 3g for remote administration by edtice1559 · 2017-08-30 06:26 · Score: 4, Insightful

This is what happens when you try to save a few cents on the bill of materials and don't include a 3g radio for remote administration. That way you can just push out updates when security defects are found. Plus you could collect experience data in order to improve future products. (Apologies to the humor impaired)
Not so easy to infiltrate by Anonymous Coward · 2017-08-30 06:47 · Score: 1

Wife has difibulator/ pacemaker. To do any programming you have a antenna placed over device to interrogate it. Any further then a few inches and you loose signal. Yes, anything is possible but clearly unless someone jumps you and proceeds to hack your device. I think most people are pretty safe. Also the Saint Jude devices like my wife’s cannot be reprogrammed over remote connection. Only recover events and errors.
1. Re:Not so easy to infiltrate by PolygamousRanchKid+ · 2017-08-30 07:22 · Score: 1
  
  Yes, but even the slightest whiff of potential lawsuits for "enabling a real Internet kill switch" has the manufacturers of such devices running scared.
  There are going to be damn sure that their devices are hardened now. Hell, you could build a portable microwave pacemaker fryer if you want. And given the trend of things these days, someone will do it for shits & giggles. But the pacemaker manufacturer can't be held liable for that.
  
  --
  Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
2. Re:Not so easy to infiltrate by sjames · 2017-08-30 07:28 · Score: 1
  
  Keep in mind, bluetooth is a short range signal as well, but with a specialized antenna, 100 meters or more is possible. Also keep in mind that if the device is programmable at all, an exploit could allow re-programming even if remote connections are supposed to be read-only.
3. Re:Not so easy to infiltrate by arth1 · 2017-08-30 07:46 · Score: 1
  
  Hell, you could build a portable microwave pacemaker fryer if you want. And given the trend of things these days, someone will do it for shits & giggles.
  I doubt you would be able to elicit giggles with such a device. The other one, probably.
  Hacking hearing aids for the lulz is also coming, I'm sure. And electric wheelchairs.
Re:Should have included 3g for remote administrati by Anonymous Coward · 2017-08-30 06:54 · Score: 1

Not only that, you can also make sure your customers pay their bills!
Re:Darwinism in action by arth1 · 2017-08-30 07:23 · Score: 1

If you have a weak, defective heart that cannot maintain its own rhythm and subsequently allow a doctor to implant a hackable pacemaker into your chest, and then allow someone to get near enough to hack it, well my friend, it's time for you to go. Good day, sir.
It is a problem that with the US medical system, the patient has no choice of treatment except a Hobson's choice. The doctors have far too much power. Even if you said you would want a device not running any software, a surgeon or insurance company would never let the patient decide.
New market by Ol+Olsoc · 2017-08-30 07:28 · Score: 1

The internet of dead things.

--
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Definitely don't want to brick that upgrade. by emmjayell · 2017-08-30 07:35 · Score: 1

But if you do brick it, for the RMA, do you send the whole human back with the pacemaker, or do you extract the pacemaker so you can save on shipping?
1. Re:Definitely don't want to brick that upgrade. by Crypto+Gnome · 2017-08-30 08:01 · Score: 1
  
  You'd need to uninstall the device and ship it *in the original packaging*.
  
  Sure uninstallation typically produces significant damage at the "installation site" (er human being) but that's not the manufacturers problem.
  
  --
  Visit CryptoGnome in his home.
Re:Should have included 3g for remote administrati by Gravis+Zero · 2017-08-30 08:00 · Score: 1

This is what happens when you try to save a few cents on the bill of materials and don't include a 3g radio for remote administration.
I hope you are joking.
A) A 3g radio would take a LOT of power compared to the rest of the unit.
B) That would be one hell of a security hole! Cell networks are NOT secure. Baseband modems are NOT secure. A DoS attack alone could drain the battery in minutes!
This is on par with tying a rope around your neck and attaching the other side to your car seat so that you don't get whiplash. It does solve the whiplash problem but you're still retarded for doing it.

--
Anons need not reply. Questions end with a question mark.
Re:You know, it occurs to me that the entire plot. by Gravis+Zero · 2017-08-30 08:07 · Score: 1

You know, it occurs to me that the entire plot of Logan's Run (caution.... spoilers follow)....
Really?! Spoilers on the internet already?! It was just release to theaters two score and one year ago!

--
Anons need not reply. Questions end with a question mark.
CAN YOU SWIM?! by Thud457 · 2017-08-30 08:18 · Score: 2

when re-flashing a pacemaker, always be sure to mount a scratch monkey

--
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Re:Should have included 3g for remote administrati by omnichad · 2017-08-30 08:39 · Score: 1

It's definitely a joke. And even funnier, because of using cellular data operating in the microwave band - which people with pacemakers are already avoiding (at this close of a range, at least).
Re:Should have included 3g for remote administrati by Hognoxious · 2017-08-30 08:45 · Score: 1

Protip: read right to the end before replying.

--
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Re:Hippocratic oath requires open source software by clodney · 2017-08-30 08:56 · Score: 1

When software runs a device that you literally depend on to live you have a right to it's source code.
If you are going to stand on principle, why not go for "When you need a device to live, you have a right to the device"? Having access to the source code is mostly meaningless, and far less consequential than having access to the actual device.
Re:You know, it occurs to me that the entire plot. by mark-t · 2017-08-30 09:19 · Score: 1

Hey, I've been chewed out before just for saying stuff online about Star Wars a New Hope. My point was to offer a disclaimer in the hopes of avoiding that.
I can't win.

--
File under 'M' for 'Manic ranting'
Re:You know, it occurs to me that the entire plot. by Gravis+Zero · 2017-08-30 09:22 · Score: 1

I can't win.
Welcome to the internet.

--
Anons need not reply. Questions end with a question mark.
Null by godel_56 · 2017-08-30 09:23 · Score: 1

Undoing moderation.
Re:Darwinism in action by Blinkin1200 · 2017-08-30 10:51 · Score: 1

Do you really think the doctor is going to know whether the device can be hacked? They all have some sort of communication protocol. My ICD is a older model. I have been able to communicate with it at distances up to ten feet. With a little antenna tweaking I hope to get the distance up to ten meters, then more... They are ALL designed for remote communications. All I am doing is changing the definition of the word 'remote'.
Re: Darwinism in action by arth1 · 2017-08-30 12:33 · Score: 1

That's BS. If you don't want a pacemaker then it is your decision not to get one.
Exactly as I said, it's a Hobson's choice.
Re:What OS do they run? by Mal-2 · 2017-08-30 15:15 · Score: 1

However, he was still able to get down. I'd dare say he couldn't help himself. HNNNGGGGG!!!

--
How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
Re:Darwinism in action by david_thornley · 2017-08-31 08:06 · Score: 1

In what way do the doctors have too much power? They've got more knowledge and expertise than the rest of us, so they typically offer what treatments they think good, and the patient decides how to proceed among available options. You seem to think the options too limited, and seem to blame the doctors for not keeping obsolescent devices around.

--
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes