An acquaintance of mine told me he received a notification from his doctor about cybersecurity vulnerabilities in his pacemaker. He\u2019s not alone. The FDA issued an alert\u00a0about security flaws in 465,000 pacemakers that use radio frequency communications and came from Abbott (formerly St. Jude Medical).The \u201cfix\u201d is not a surgical replacement pacemaker, but a firmware update that takes about three minutes to complete and carries a \u201cvery low risk of update malfunction;\u201d a very small percentage of people might experience a \u201ccomplete loss of device functionality\u201d during the firmware update. The patch covers St. Jude Medical\u2019s pacemakers: Accent, Anthem, Accent MRI, Accent ST, Assurity and Allure.My acquaintance's doctor, who he swears has been very good to him in the past, said he could come in and have the firmware fix if he wanted to, but he suggested against it because if it wasn\u2019t much of an issue. Unlike some pacemaker patients, this dude works in IT and understands the impact described in the ICS-CERT advisory:Successful exploitation of these vulnerabilities may allow a nearby attacker to gain unauthorized access to a pacemaker and issue commands, change settings, or otherwise interfere with the intended function of the pacemaker.The pacemaker vulnerabilities include improper authentication that can be compromised or bypassed, another flaw that could allow a nearby attacker to issue commands to drain the battery, as well as a flaw that allows sensitive patient information being transmitted without encryption.The code to exploit the pacemakers reportedly is not floating around in the wild, but it seems unwise for any cardiologist to downplay the risks and discourage patients from coming in to get the firmware update. Perhaps not all understand why the firmware is important. After all, an Abbott press release noted that \u201can advisory issued by the U.S. Department of Homeland Security [said] compromising the security of these devices would require a highly complex set of circumstances.\u201dYet according to the letter Abbott sent doctors (pdf download), \u201cIf there were a successful attack, an unauthorized individual (i.e., a nearby attacker) could gain access and issue commands to the implanted medical device through radio frequency (RF) transmission capability, and those unauthorized commands could modify device settings (e.g., stop pacing) or impact device functionality.\u201dNow that Abbott has publicly admitted to the security vulnerabilities and released a firmware update, why blow it off? It took a long time, an ethical battle in the security community and a lot of heat to get to the point that a firmware fix being released.What it took to get a pacemaker firmware fixLet\u2019s rewind a bit for the big picture. A year ago, MedSec teamed up with short-selling firm Muddy Waters and publicly disclosed (pdf) remotely exploitable flaws found in St. Jude pacemakers and defibrillators. Shares of St. Jude immediately fell, despite St. Jude vehemently denying the \u201cfalse and misleading\u201d report. St. Jude also filed a lawsuit for defamation, as the security community argued ethics of the disclosure.St. Jude disputed pretty much everything Muddy Waters and MedSec claimed, including that the implantable medical devices could be hacked \u2014\u00a0battery depleted \u2014\u00a0at a distance of 50 feet, saying the wireless range was about 7 feet.In October 2016, MedSec released four videos demonstrating the attacks. St Jude blew off the \u201cunverified claims.\u201d But then, cybersecurity firm Bishop Fox \u201creplicated first-hand many of the attacks.\u201dThe Bishop Fox report (pdf) claimed, \u201cThe wireless protocol used for communication amongst St. Jude Medical cardiac devices has serious security vulnerabilities that make it possible to convert Merlin@home devices into weapons capable of disabling therapeutic care and delivering shocks to patients at distances of 10 feet, a range that could be extended using off-the-shelf parts to modify Merlinn@home units.\u201dLet\u2019s flash forward to January 2017. After Abbott Laboratories acquired St. Jude Medical for close to $25 billion, the FDA issued an alert and Homeland Security\u2019s ICS-CERT issued an advisory about many of the cybersecurity vulnerabilities that MedSec and Muddy Waters had first publicly disclosed. To \u201cimprove patient safety,\u201d St. Jude released a patch for vulnerabilities it had previously denied.Muddy Waters claimed the \u201cfixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants.\u201dProfits Over Patients pointed out, \u201cMatthew Green, an assistant professor for computer science at Johns Hopkins University and a part of the Bishop Fox team, called one vulnerability \u2018probably the most impactful vulnerability I\u2019ve ever seen.\u2019\u201dMeanwhile, the lawsuit raged on.Zip forward a few months to April when the FDA sent a warning letter that roasted Abbott for failing to address the vulnerabilities, including those first pointed out to St. Jude as far back as April 2014. Furthermore, the firm claimed there had been no deaths related to the battery depletion issue, even though the first death related to that flaw occurred in 2014.Zoom forward to August 2017, and we\u2019re back where we started, with the FDA and the Department of Homeland Security warning about cybersecurity vulnerabilities in 465,000 pacemakers that need the newly released firmware patch. Oh, and I\u2019ve not seen anything about the lawsuit being dropped.This may be a first, but the FDA warned:Many medical devices \u2014\u00a0including St. Jude Medical's implantable cardiac pacemakers \u2014\u00a0contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits. As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates.More information about the pacemaker firmware patchAs for this firmware fix, you can input your device\u2019s model number to find out if it is subject to the battery depletion advisory. You can read the product advisories here, read the FDA notice here, and read\u00a0the Department of Homeland Security\u2019s notice here.