FDA Recalls 465K Pacemakers/ATM Skimming on the Rise

By Bryce Briggles on September 8, 2017

Overview

The Federal Drug Administration (FDA) is recalling 465,000 pacemakers manufactured by Abbott Laboratories due to vulnerabilities that can allow attackers to gain unauthorized access. The affected pacemakers manufactured before August 28, 2017 include:

  • Accent/Anthem
  • Accent MRI
  • Assurity/Allure
  • Assurity MRI

Abbott has released a patch for the vulnerabilities that affect their pacemakers that utilize radio frequency communications. According to the FDA, a third-party security research firm has confirmed that the vulnerabilities are mitigated by the firmware update.

Vulnerabilities

ICS-CERT cited three vulnerabilities affecting Abbott Laboratories’ pacemakers in its advisory. The first of which (CVE-2017-12712) is related to the pacemaker’s authentication algorithm. The algorithm involves an authentication key and timestamp which can be bypassed to allow a nearby attacker to deliver commands via RF communications.

The second vulnerability (CVE-2017-12714) is related to a reduction in a pacemaker’s battery life. The pacemakers do not have a control in place that prevents or limits the amount of “RF wake-up” commands it can receive, so nearby attackers may be able to repeatedly send these commands to ultimately lower a pacemaker’s battery life.

The third flaw discovered (CVE-2017-12716) has to do with unencrypted patient information being transmitted to home monitoring units and programmers via RF communications. As well as the fact that patient data is stored in clear text on the devices. However, this vulnerability only affects the Accent and Anthem pacemakers.

Recommendations

Abbott Laboratories released a firmware update to mitigate the discovered vulnerabilities. The version numbers of the update for each family of products are:

  • Accent/Anthem: Version F0B.0E.7E,
  • Accent MRI/Accent ST: Version F10.08.6C
  • Assurity/Allure: Version F14.07.80
  • Assurity MRI: Version F17.01.49

Although Abbott recommends that the updates be applied, they stated that the updates should be approached with caution. As with any type of software update, there is always the possibility of the device malfunctioning as a result.

The Abbott Cybersecurity Medical Advisory Board reviewed the update and the associated risks and came up with the following recommendations for health care providers:

  • Do not remove and replace the affected devices.
  • Discuss the benefits and risks of firmware update and the vulnerabilities with your patients at their next visit. It is also important to note, as part of the discussion, each patient’s circumstances, such as the age of the device, pacemaker dependence, and patient preference, and to give them the Abbott’s Patient Guide.
  • Determine the appropriateness of the update considering the risks to the patient. If deemed appropriate, follow the update installation instructions provided.
  • Due to the risk of device malfunction, for pacing dependent patients, consider performing the update in a facility where temporary pacing and pacemaker generators are easily accessible.
  • After the update, confirm the functionality of the device.
  • Contact Abbot’s technical support hotline at 1-800-722-3774 with any questions regarding the firmware update.

ATM Skimming

According to FICO, the amount of cards compromised at U.S. ATMs and merchants increased by 39 percent in the first half of 2017 compared to the previous year. The latest information from the FICO Card Alert Service, which monitors hundreds of thousands of ATMs and card readers throughout the US, shows that the number of compromises is on track to set a new high.

FICO offered the following tips for consumers:

  • If an ATM looks odd, or your card doesn’t enter the machine smoothly, consider going somewhere else for your cash.
  • Never approach an ATM if anyone is lingering nearby. Never engage in conversations with others around an ATM. Remain in your automobile until other ATM users have left the ATM.
  • If your plastic card is captured inside of an ATM, call your card issuer immediately to report it. Sometimes you may think that your card was captured by the ATM when in reality it was later retrieved by a criminal who staged its capture. Either way, you will need to arrange for a replacement card as soon as possible.
  • Ask your card issuer for a new card number if you suspect that your payment card may have been compromised at a merchant, restaurant or ATM. It’s important to change both your card number and your PIN whenever you experience a potential theft of your personal information.
  • Check your card transactions frequently, using online banking and your monthly statement.
  • Ask your card provider if they offer account alert technology that will deliver SMS text communications or emails to you in the event that fraudulent activity is suspected on your payment card.
  • Update your address and cell phone information for every card you have, so that you can be reached if there is ever a critical situation that requires your immediate attention.

Sources:
https://threatpost.com/fda-recalls-465k-pacemakers-tied-to-medsec-research/127750/
https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01
https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm
https://www.helpnetsecurity.com/2017/09/05/skimming-grows/
http://www.fico.com/en/blogs/fraud-security/double-digit-atm-compromise-growth-continues-in-us/

 

Related Posts