Around 465,000 Americans with pacemakers fitted are being advised to visit their doctor to get an important software upgrade – otherwise their life-saving inner gadget could be vulnerable to a hacking attempt.
Pacemaker manufacturer Abbott Laboratories has issued the call together with the Food and Drug Administration (FDA), after discovering critical flaws in the devices that could enable someone nearby to take control of them.
Any pacemaker issued before 28 August 2017 and made by St Jude Medical (since taken over by Abbott) could be affected. Newer pacemakers fitted from this date on will already have the necessary security patches applied.
"If there were a successful attack, an unauthorised individual (i.e., a nearby attacker) could gain access and issue commands to the implanted medical device through radio frequency (RF) transmission capability," writes Abbott's Susan Jezior Slane in a letter to doctors.
As you'll know if you or someone in your family has one, pacemakers are fitted in the chest to help the heart beat at a regular speed. The heart has its own natural pacemaker, but this can malfunction, and may need a bit of artificial assistance.
These artificial pacemakers are fitted with tiny radio components so they can be controlled and updated without having to cut them out and replace them each time.
However, the flaw discovered in the faulty pacemakers means someone with the right technical know-how could connect to one of the devices and change its settings – maybe even stopping it altogether.
That might seem extreme, but it's not all that difficult to do, and security researchers have raised the possibility of someone using this as a way of extorting money. Fortunately, nothing like this has known to have been attempted so far, says the FDA: pacemaker hacks haven't crossed from TV drama to real life just yet.
The problem is with a lack of authorisation for connecting devices together. In other words, these pacemakers are currently exposed like a Wi-Fi network without a password, so anyone passing by can log on.
However, you need more than a laptop or smartphone. The kit to hack into a pacemaker can be bought commercially for anywhere between US$15 and US$3,000, according to an investigation by Ars Technica.
In order to plug the security gap, the pacemakers need an update to their firmware, the type of software that runs at a very low level on a device.
Once the update is applied wirelessly, the pacemakers are locked down and will only communicate with approved medical equipment. The process should take a few minutes but there's always a slim chance something might go awry, so patients are being told to discuss the risks with their doctors first.
There's no doubt that technology and gadgets are improving our health and improving medical access – from being able to Skype a doctor from a remote village to replacing broken parts of our bodies – but it's important that we stay on top of the associated security risks and alerts.
"As medical devices become increasingly interconnected via the internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates," says the FDA.
Let's hope everyone affected can get their pacemakers safely updated.
You can find more information about the update direct from Abbott.