Pacemakers ready for placement. Pacemakers made by Abbot’s (formerly St. Jude Medical) are affected, while those by Medtronic (shown left) are not. Photo: AP

The Food and Drug Administration announced today that 465,000 pacemakers installed in the US have a security vulnerability that could be exploited to make the device operate too quickly or deplete its batteries, and these devices need firmware updates to keep them from getting hacked.


Yikes.

The vulnerability affects devices made by Abbott’s (formerly St. Jude Medical’s) that are radio frequency-enabled. Fortunately, the Department of Homeland Security says that an attacker would need to be nearby a person with a pacemaker in order to exploit the vulnerability.


There haven’t been any reports of the vulnerability being exploited in the wild, according to the FDA. DHS also notes that the exploit code is not publicly available, so there’s not much risk of a random hacker stumbling across it. “An attacker with high skill would be able to exploit these vulnerabilities,” DHS said.

Still, even though there’s not a ton of risk of having your pacemaker hacked in public, the FDA recommends that patients with the device make an appointment with their doctors to get the firmware update.

“These vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient’s physician) to access a patient’s device using commercially available equipment. This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing,” the FDA warned.

[FDA, DHS]