The Food and Drug Administration announced this week that 465,000 pacemakers installed in the US have a security vulnerability that could be exploited to make the device operate too quickly or deplete its batteries, and these devices need firmware updates to keep them from getting hacked.
Fortunately, the Department of Homeland Security says that an attacker would need to be nearby a person with a pacemaker in order to exploit the vulnerability.
There haven’t been any reports of the vulnerability being exploited in the wild, according to the FDA. DHS also notes that the exploit code is not publicly available, so there’s not much risk of a random hacker stumbling across it. “An attacker with high skill would be able to exploit these vulnerabilities,” DHS said.
Still, even though there’s not a tonne of risk of having your pacemaker hacked in public, the FDA recommends that patients with the device make an appointment with their doctors to get the firmware update.
“These vulnerabilities, if exploited, could allow an unauthorised user (i.e. someone other than the patient’s physician) to access a patient’s device using commercially available equipment. This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing,” the FDA warned. [FDA, DHS]