465,000 Patients Need Software Updates for Their Hackable Pacemakers, FDA Says

A painful reminder that a future where the internet is in every device—even the most critical one—can be disastrous.

Aug 30 2017, 2:53pm

Patching has long been one of the most tedious chores for those who want to keep their electronic devices secure or up to date. Sometimes, patches require a restart, disrupting your workflow. Sometimes, patches screw up the software, making it unusable. These are just some of the reasons why users normally dread patching.

Now, imagine if you had to patch the thing that keeps you alive.

That's the situation almost 500,000 people who rely on buggy pacemakers face right now. On Tuesday, the US Food and Drug Administration announced a recall of several vulnerable models of pacemakers made by Abbott, a global health company that used to be known as St. Jude Medical. The recall has the goal of reducing the risk of hackers taking control of the pacemakers, potentially, harming the patients.


Patients who have one of these devices will have to visit their doctors and update the pacemakers' firmware while the devices are in backup mode, according to an open letter sent by Abbott to doctors. The FDA estimates that around 465,000 patients have a vulnerable pacemaker that needs to be patched, according to the agency's advisory.

Last year, a hedge fund called Muddy Waters warned that the devices could be hacked from up to 50 feet away, an accusation that the fund used to put pressure on the company's stock. While there are no reports that anyone has ever been harmed because of the vulnerabilities that this patch fixes, this is a good reminder that connected medical devices can pose unprecedented risks to patients. In the case of Abbott's pacemakers, it was possible for a hacker to take control of the pacemaker from a relatively short distance to drawn down the batter or accelerate the pace.

"The FDA reminds patients, patient caregivers, and health care providers that any medical device connected to a communications network (e.g. Wi-Fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users," the FDA notice reads. "However, the increased use of wireless technology and software in medical devices can also often offer safer, more efficient, convenient, and timely health care delivery."

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzo@jabber.ccc.de, or email lorenzo@motherboard.tv

Get six of our favorite Motherboard stories every day by signing up for our newsletter.


Tech, Motherboard, Internet of Things, Hacking, cybersecurity, FDA, Recall, Muddy Waters, Infosec, pacemakers, patch, medical devices

like this
AWS Is the Internet's Biggest Single Point of Failure
How Cryptocurrency Gave Birth to the Ransomware Epidemic
The Cybersecurity Stories We Were Jealous of in 2021
How ‘The Matrix’ Inspired a New Generation of Hackers
No, Hillary Clinton Did Not ‘Infiltrate’ or Hack Donald Trump, Experts Say
This Is the ‘Hacking’ Investigation Into Journalist Who Clicked ‘View Source’ on Government Website
US Government Disrupts Botnet Controlled by Russian Government Hackers
Chinese Cybersecurity Company Doxes Apparent NSA Hacking Operation