Almost half a million pacemakers need a firmware update to avoid getting hacked

Nearly half a million pacemakers are being recalled by the US Food and Drug Administration after the agency found that the devices could be hacked to control pacing or deplete batteries. Rather than having patients remove or replace the device, however, the manufacturer is releasing a firmware update designed to address the vulnerabilities.

Yes, that’s right — grandpa, grandma, your baby, or anyone with arrhythmia and has a pacemaker implanted might need to get a firmware update.

The affected pacemakers are made by St. Jude Medical, which was acquired by Abbott in January. The models are radio-frequency enabled, and were manufactured before August 28th. Any device manufactured from this week on will have the update pre-installed.

The FDA estimates that 465,000 vulnerable devices have been implanted in patients in the US. Hackers could use “commercially available” equipment to change the devices’ programming. In May, researchers found that pacemaker programmers could intercept the device using equipment that cost anywhere between $15 to $3,000, reported Ars Technica. Abbott will now require devices to provide authorization in order to communicate with the pacemaker.

A firmware is basically software for a hardware, and the update should be an easier fix for patients than undergoing surgery for a new, hack-proof device. Unfortunately, patients who require a firmware update can’t get it at home. Instead, they’ll have the three-minute update administered by a healthcare provider. During this time, the device will run in backup mode. It’s possible that diagnostic data or settings will be lost — or worse, that the device will be bricked — so patients should talk to their doctors about the risks and benefits of updating their pacemakers.

In the alert, the FDA warned patients that any device that connects to Wi-Fi or the internet is vulnerable to hacking. But the agency also noted that connectivity has its benefits — including safer and more convenient health care. As with most things in medicine, patients will have to determine whether the risks are worth it.

This isn’t the first time Abbott’s Jude Medical unit’s pacemakers have been found to contain cybersecurity vulnerabilities. In January, the FDA issued a similar warning for the company’s implantable RF pacemakers and corresponding transmitters that could be exploited to administer inappropriate pacing or shocks.


I don’t see how why every company other than the main smartphone and PC OEMs are so stupid about security. This, the Chevy getting hacked demo on WIRED, and so many other incidents leads me to believe that no one with an actual, functioning human brain is running the decisions about security at these companies.

I am a HUGE home automation and IOT nerd, but even I would prefer that my pacemaker would not be online… that’s waaay too risky.

From the article title:

need a firmware update to avoid getting hacked

I’m not sure if "avoid" is soft enough to show the uncertainty of the firmware update’s impregnability. Maybe "to try avoiding" is better. They were hackable before, they will still be hackable after this firmware update.

An important piece of information that should be included in any breathless article about this pacemaker’s cybersecurity vulnerabilities …

There are no known reports of patient harm related to the cybersecurity vulnerabilities in the 465,000 (US) implanted devices impacted.

More interesting would be information on how "cybersecurity" is implemented in implantable life-sustaining or life-saving devices. Password? Who has the password? The possibly unconscious patient?

View All Comments
Back to top ↑