FYI.

This story is over 5 years old.

Tech

465,000 Patients Need Software Updates for Their Hackable Pacemakers, FDA Says

A painful reminder that a future where the internet is in every device—even the most critical one—can be disastrous.
Image: ChooChin/Shutterstock

Patching has long been one of the most tedious chores for those who want to keep their electronic devices secure or up to date. Sometimes, patches require a restart, disrupting your workflow. Sometimes, patches screw up the software, making it unusable. These are just some of the reasons why users normally dread patching.

Now, imagine if you had to patch the thing that keeps you alive.

That's the situation almost 500,000 people who rely on buggy pacemakers face right now. On Tuesday, the US Food and Drug Administration announced a recall of several vulnerable models of pacemakers made by Abbott, a global health company that used to be known as St. Jude Medical. The recall has the goal of reducing the risk of hackers taking control of the pacemakers, potentially, harming the patients.

Advertisement

Patients who have one of these devices will have to visit their doctors and update the pacemakers' firmware while the devices are in backup mode, according to an open letter sent by Abbott to doctors. The FDA estimates that around 465,000 patients have a vulnerable pacemaker that needs to be patched, according to the agency's advisory.

Last year, a hedge fund called Muddy Waters warned that the devices could be hacked from up to 50 feet away, an accusation that the fund used to put pressure on the company's stock. While there are no reports that anyone has ever been harmed because of the vulnerabilities that this patch fixes, this is a good reminder that connected medical devices can pose unprecedented risks to patients. In the case of Abbott's pacemakers, it was possible for a hacker to take control of the pacemaker from a relatively short distance to drawn down the batter or accelerate the pace.

"The FDA reminds patients, patient caregivers, and health care providers that any medical device connected to a communications network (e.g. Wi-Fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users," the FDA notice reads. "However, the increased use of wireless technology and software in medical devices can also often offer safer, more efficient, convenient, and timely health care delivery."

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzo@jabber.ccc.de, or email lorenzo@motherboard.tv

Get six of our favorite Motherboard stories every day by signing up for our newsletter.