8.3 High
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:N/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
32.4%
MedSec Holdings Ltd has identified vulnerabilities in Abbott Laboratories’ (formerly St. Jude Medical) pacemakers. Abbott has produced a firmware patch to help mitigate the identified vulnerabilities in their pacemakers that utilize radio frequency (RF) communications. A third-party security research firm has verified that the new firmware version mitigates the identified vulnerabilities.
The Food and Drug Administration (FDA) released a safety communication on August 29, 2017, Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott’s (formerly St. Jude Medical’s) Implantable Cardiac Pacemakers: FDA Safety Communication, regarding the identified vulnerabilities and corresponding mitigation. In response, ICS-CERT is releasing this advisory to provide additional detail to patients and healthcare providers.
The following pacemakers manufactured prior to August 28, 2017, are affected:
Successful exploitation of these vulnerabilities may allow a nearby attacker to gain unauthorized access to a pacemaker and issue commands, change settings, or otherwise interfere with the intended function of the pacemaker.
Abbott is a US-based company headquartered in Abbott Park, Illinois.
The affected pacemakers are implantable medical devices designed to deliver electrical pulses to correct a slow heartbeat or no heartbeat at all. According to Abbott, these pacemakers are deployed across the Healthcare and Public Health sector. Abbott indicates that these products are used worldwide; however, Accent and Anthem are no longer sold in the US.
The pacemaker’s authentication algorithm, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications.
CVE-2017-12712NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12712, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, web site last accessed August 29, 2017.
The pacemakers do not restrict or limit the number of correctly formatted “RF wake-up” commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life.
CVE-2017-12714NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12714, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H, web site last accessed August 29, 2017.
The Accent and Anthem pacemakers transmit unencrypted patient information via RF communications to programmers and home monitoring units. The Assurity and Allure pacemakers do not contain this vulnerability. Additionally, the Accent and Anthem pacemakers store the optional patient information without encryption; however, the Assurity and Allure pacemakers encrypt stored patient information.
CVE-2017-12716NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12716, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v3 base score of 3.1 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N, web site last accessed August 29, 2017.
These vulnerabilities could be exploited via an adjacent network. Exploitability is dependent on an attacker being sufficiently close to the target pacemaker as to allow RF communications.
Exploitation of vulnerabilities has been publicly demonstrated; however, exploit code is not publicly available.
An attacker with high skill would be able to exploit these vulnerabilities.
Abbott has developed a firmware update to help mitigate the identified vulnerabilities. The version numbers of the firmware update for each product family are as follows:
The pacemaker firmware update will implement “RF wake-up” protections and limit the commands that can be issued to pacemakers via RF communications. Additionally the updated pacemaker firmware will prevent unencrypted transmission of patient information (Accent and Anthem only). The firmware update can be applied to an implanted pacemaker via the Merlin PCS Programmer by a healthcare provider. It is recommended that healthcare providers discuss this update with their patients and carefully consider the potential risk of a cybersecurity attack along with the risk of performing a firmware update. Implementation of the firmware update is to be determined based on the physician’s professional judgment and patient management considerations. Pacemakers manufactured beginning August 28, 2017, will have this update preloaded on devices.
Abbott states that firmware updates should be approached with caution. Like any software update, firmware updates can cause devices to malfunction. Potential risks include loss of device settings, the device going into back-up mode, reloading of the previous firmware due to a failed upgrade, loss of diagnostic data, and a complete loss of device functionality. The Abbott Cybersecurity Medical Advisory Board has reviewed this firmware update and the associated risk of performing the update in the context of potential cybersecurity risk.
While not intended to serve as a substitute for clinician judgment as to whether the firmware update is advisable for a particular patient, the Cybersecurity Medical Advisory Board recommends the following:
Patients and healthcare providers with questions can call the dedicated hotline at 1-800-722-3774 (U.S.) or visit <https://www.sjm.com/cyberupdate> for more information.
The FDA issued a safety communication on August 29, 2017, Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott’s (formerly St. Jude Medical’s) Implantable Cardiac Pacemakers: FDA Safety Communication, is available at the following location:
<https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm>
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Abbott%20Laboratories%E2%80%99%20Accent/Anthem%2C%20Accent%20MRI%2C%20Assurity/Allure%2C%20and%20Assurity%20MRI%20Pacemaker%20Vulnerabilities+https://www.cisa.gov/news-events/ics-medical-advisories/icsma-17-241-01
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-17-241-01&title=Abbott%20Laboratories%E2%80%99%20Accent/Anthem%2C%20Accent%20MRI%2C%20Assurity/Allure%2C%20and%20Assurity%20MRI%20Pacemaker%20Vulnerabilities
www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-17-241-01
www.oig.dhs.gov/
www.sjm.com/cyberupdate
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-17-241-01
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Abbott%20Laboratories%E2%80%99%20Accent/Anthem%2C%20Accent%20MRI%2C%20Assurity/Allure%2C%20and%20Assurity%20MRI%20Pacemaker%20Vulnerabilities&body=www.cisa.gov/news-events/ics-medical-advisories/icsma-17-241-01
8.3 High
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:N/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
32.4%