CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
32.2%
CVSS v3 7.5
ATTENTION: Exploitable remotely
Vendor: Abbott Laboratories
Equipment: Implantable Cardioverter Defibrillator and Cardiac Synchronization Therapy Defibrillator
Vulnerabilities: Improper Authentication and Improper Restriction of Power Consumption
MedSec Holdings Ltd., has identified vulnerabilities in Abbott Laboratories’ (formerly St. Jude Medical) Implantable Cardioverter Defibrillator (ICD) and Cardiac Synchronization Therapy Defibrillator (CRT-D). Abbott has produced firmware updates to help mitigate identified vulnerabilities in their eligible ICDs and CRT-Ds that utilize radio frequency (RF) communications. A third-party security research firm has verified the new firmware updates mitigate the identified vulnerabilities.
The Food and Drug Administration (FDA) released a safety communication on April 17, 2018, titled “Battery Performance Alert and Cybersecurity Firmware Updates for Certain Abbott (formerly St. Jude Medical) Implantable Cardiac Devices: FDA Safety Communication,” regarding the identified vulnerabilities and corresponding mitigation. In response, NCCIC is releasing this advisory to provide additional detail to patients and healthcare providers.
Successful exploitation of these vulnerabilities may allow a nearby attacker to gain unauthorized access to an ICD to issue commands, change settings, or otherwise interfere with the intended function of the ICD.
Impact to individual organizations depends on many factors unique to each organization. NCCIC recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage.
The following ICDs and CRT-Ds manufactured and distributed prior to April 19, 2018, are affected:
The device’s authentication algorithm, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the ICD or CRT-D via RF communications.
CVE-2017-12712 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
The ICDs and CRT-Ds do not restrict or limit the number of correctly formatted “RF wake-up” commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce device battery life.
CVE-2017-12714 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
Abbott is a U.S.-based company headquartered in Abbott Park, Illinois.
The affected ICDs and CRT-Ds are implantable medical devices designed to deliver high voltage electrical pulses to correct a fast or irregular heartbeat. According to Abbott, these devices are deployed across the healthcare and public health sector. Abbott indicates that these products are used worldwide.
Abbott is a U.S.-based company headquartered in Abbott Park, Illinois.
The affected ICDs and CRT-Ds are implantable medical devices designed to deliver high voltage electrical pulses to correct a fast or irregular heartbeat. According to Abbott, these devices are deployed across the healthcare and public health sector. Abbott indicates that these products are used worldwide.
MedSec Holdings Ltd., reported these vulnerabilities to Abbott Laboratories and NCCIC.
Abbott has developed a firmware update to help mitigate the identified vulnerabilities.
The firmware update provides additional security to reduce the risk of unauthorized access by bypassing authentication to the following high voltage device families that utilize wireless radio frequency (RF) communication: Fortify, Fortify Assura, Quadra Assura, Quadra Assura MP, Unify, Unify Assura, Unify Quadra, Promote Quadra, and Ellipse.
The firmware update can be applied to an eligible implanted ICD or CRT-D via the Merlin PCS Programmer by a healthcare provider. Abbott and FDA have recommended the update to all eligible patients at the next regularly scheduled visit or when appropriate depending on the preferences of the patient and physician. ICDs and CRT-Ds manufactured beginning April 25, 2018, will have these updates preloaded on devices.
Abbott states that firmware updates should be approached with caution. As with any software update, firmware updates can cause devices to malfunction. Potential risks include discomfort due to back-up VVI pacing settings, reloading of previous firmware version due to incomplete upgrade, inability to treat VT/VF while in back-up mode given high voltage therapy is disabled, device remaining in back-up mode due to unsuccessful upgrade, and loss of currently-programmed device settings or diagnostic data. The Abbott Cybersecurity Medical Advisory Board has reviewed this firmware update and the associated risk of performing the update in the context of potential cybersecurity risk.
While not intended to serve as a substitute for clinician judgment as to whether the firmware update is advisable for a particular patient, the Cybersecurity Medical Advisory Board recommends the following:
Abbott’s older generation devices (i.e., Current and Promote) are not capable of accepting the firmware update due to technology limitations. If healthcare providers and patients have any concerns relating to device cybersecurity for those patients implanted with Current/Promote devices, providers have the option to permanently disable the RF communication capability in the device. However, if this option is selected, the patient can no longer be monitored remotely using an RF Merlin@home transmitter. For most patients, permanently disabling RF is not advisable given the proven benefits and improved survival associated with home monitoring.
Therefore, the Medical Advisory Boards recommends the following:
Patients and healthcare providers with questions can call the dedicated hotline at 1-800-722-3774 (U.S.) or visit https://www.sjm.com/cyberupdate for more information.
Battery Performance Alert and Cybersecurity Firmware Updates for Certain Abbott (formerly St. Jude Medical) Implantable Cardiac Devices: FDA Safety Communication: FDA Safety Communication is available at the following location:
<https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm604706.htm>
NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available in the ICS-CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT website.
No known public exploits specifically target these vulnerabilities. High skill level is needed to exploit.
cwe.mitre.org/data/definitions/920.html
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-107-01
cwe.mitre.org/data/definitions/287.html
nvd.nist.gov/vuln/detail/CVE-2017-12712
nvd.nist.gov/vuln/detail/CVE-2017-12714
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Abbott%20Laboratories%20Defibrillator+https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-107-01
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-107-01&title=Abbott%20Laboratories%20Defibrillator
www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm604706.htm
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-107-01
www.oig.dhs.gov/
www.sjm.com/cyberupdate%20
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Abbott%20Laboratories%20Defibrillator&body=www.cisa.gov/news-events/ics-medical-advisories/icsma-18-107-01
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
32.2%