Ticking time bomb: Nearly half million pacemakers vulnerable to hacking, FDA issues calls for firmware update

If not fixed, hackers could exploit this vulnerability to modify pacing or deplete battery of the device.

Pacemaker security flaw — Several pacemakers from Abbott found vulnerable to hacking -- Representational Image REUTERS/Fabrizio Bensch

The US Food and Drug Administration has issued a notice to protect nearly half a million Abbott pacemaker users from a vulnerability that makes the devices susceptible to hacking.

In order to prevent what could be a life-threatening situation for many, the FDA has issued an advisory flagging a major security flaw that makes cardiac pacemakers – radio-frequency enabled devices that correct irregular heartbeats – vulnerable to hacking.

The administration is asking as many as 465,000 people in the US to get an update for their devices. The security flaw has been detected in several models manufactured by St. Jude Medical, an Abbott-acquired manufacturer of medical devices. The notice says that this three-minute firmware upgrade will fix the issue.

According to the advisory, the said vulnerability, if exploited, could allow an unauthorised user to modify the programming of a patient's device.

Once a hacker gains control of the device, he could fiddle with its pacing or deplete its battery to harm the patient, notes FDA. Department of Homeland Security, on the other hand, has said only someone with high-skills and nearby a person with a pacemaker could do that.

Though no reports have suggested exploitation of a pacemaker-related vulnerability, FDA has stressed the importance of this update.

All patients who have got a vulnerable Abottt pacemaker implanted in their chests can get the issue addressed, without undergoing surgery for a new, hack-proof device. They will have to visit a doctor, who would put the pacemaker into the backup and patch the firmware.

A letter from Abbott representatives notes, "pacing dependent patients should get the update in a facility where temporary pacing and pacemaker generator can be readily provided, due to the very small estimated risk of firmware update malfunction".

There is no word on how many pacemakers have been affected in other countries, but the flaw is a clear indicator of the threat posed by vulnerabilities in modern medical devices.