Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.2157
Abbott Laboratories Accent/Anthem, Accent MRI,
Assurity/Allure, and Assurity MRI Pacemaker Vulnerabilities
30 August 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Abbott Laboratories Accent/Anthem
Abbott Laboratories Accent MRI
Abbott Laboratories Assurity/Allure
Abbott Laboratories Assurity MRI
Publisher: ICS-CERT
Operating System: Network Appliance
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2017-12716 CVE-2017-12714 CVE-2017-12712
Original Bulletin:
https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01
- --------------------------BEGIN INCLUDED TEXT--------------------
Advisory (ICSMA-17-241-01)
Abbott Laboratories Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity
MRI Pacemaker Vulnerabilities
Original release date: August 29, 2017
Legal Notice
All information products included in http://ics-cert.us-cert.gov are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For
more information about TLP, see http://www.us-cert.gov/tlp/.
OVERVIEW
MedSec Holdings Ltd has identified vulnerabilities in Abbott Laboratories
(formerly St. Jude Medical) pacemakers. Abbott has produced a firmware patch
to help mitigate the identified vulnerabilities in their pacemakers that
utilize radio frequency (RF) communications. A third-party security research
firm has verified that the new firmware version mitigates the identified
vulnerabilities.
The Food and Drug Administration (FDA) released a safety communication on
August 29, 2017, Firmware Update to Address Cybersecurity Vulnerabilities
Identified in Abbotts (formerly St. Jude Medicals) Implantable Cardiac
Pacemakers: FDA Safety Communication, regarding the identified vulnerabilities
and corresponding mitigation. In response, ICS-CERT is releasing this advisory
to provide additional detail to patients and healthcare providers.
AFFECTED PRODUCTS
The following pacemakers manufactured prior to August 28, 2017, are affected:
Accent/Anthem,
Accent MRI,
Assurity/Allure, and
Assurity MRI.
IMPACT
Successful exploitation of these vulnerabilities may allow a nearby attacker
to gain unauthorized access to a pacemaker and issue commands, change
settings, or otherwise interfere with the intended function of the pacemaker.
BACKGROUND
Abbott is a US-based company headquartered in Abbott Park, Illinois.
The affected pacemakers are implantable medical devices designed to deliver
electrical pulses to correct a slow heartbeat or no heartbeat at all.
According to Abbott, these pacemakers are deployed across the Healthcare and
Public Health sector. Abbott indicates that these products are used worldwide;
however, Accent and Anthem are no longer sold in the US.
VULNERABILITY CHARACTERIZATION
VULNERABILITY OVERVIEW
IMPROPER AUTHENTICATION[a]
The pacemaker's authentication algorithm, which involves an authentication key
and time stamp, can be compromised or bypassed, which may allow a nearby
attacker to issue unauthorized commands to the pacemaker via RF
communications.
CVE-2017-12712[b] has been assigned to this vulnerability. A CVSS v3 base
score of 7.5 has been assigned; the CVSS vector string is
(AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).[c]
IMPROPER RESTRICTION OF POWER CONSUMPTION[d]
The pacemakers do not restrict or limit the number of correctly formatted RF
wake-up commands that can be received, which may allow a nearby attacker to
repeatedly send commands to reduce pacemaker battery life.
CVE-2017-12714[e] has been assigned to this vulnerability. A CVSS v3 base
score of 5.3 has been assigned; the CVSS vector string is
(AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).[f]
MISSING ENCRYPTION OF SENSITIVE DATA[g]
The Accent and Anthem pacemakers transmit unencrypted patient information via
RF communications to programmers and home monitoring units. The Assurity and
Allure pacemakers do not contain this vulnerability. Additionally, the Accent
and Anthem pacemakers store the optional patient information without
encryption; however, the Assurity and Allure pacemakers encrypt stored patient
information.
CVE-2017-12716[h] has been assigned to this vulnerability. A CVSS v3 base
score of 3.1 has been assigned; the CVSS vector string is
(AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).[i]
VULNERABILITY DETAILS
EXPLOITABILITY
These vulnerabilities could be exploited via an adjacent network.
Exploitability is dependent on an attacker being sufficiently close to the
target pacemaker as to allow RF communications.
EXISTENCE OF EXPLOIT
Exploitation of vulnerabilities has been publicly demonstrated; however,
exploit code is not publicly available.
DIFFICULTY
An attacker with high skill would be able to exploit these vulnerabilities.
MITIGATION
Abbott has developed a firmware update to help mitigate the identified
vulnerabilities. The version numbers of the firmware update for each product
family are as follows:
Accent/Anthem, Version F0B.0E.7E,
Accent MRI/Accent ST, Version F10.08.6C,
Assurity/Allure, Version F14.07.80, and
Assurity MRI, Version F17.01.49.
The pacemaker firmware update will implement RF wake-up protections and limit
the commands that can be issued to pacemakers via RF communications.
Additionally the updated pacemaker firmware will prevent unencrypted
transmission of patient information (Accent and Anthem only). The firmware
update can be applied to an implanted pacemaker via the Merlin PCS Programmer
by a healthcare provider. It is recommended that healthcare providers discuss
this update with their patients and carefully consider the potential risk of a
cybersecurity attack along with the risk of performing a firmware update.
Implementation of the firmware update is to be determined based on the
physician's professional judgment and patient management considerations.
Pacemakers manufactured beginning August 28, 2017, will have this update
preloaded on devices.
Abbott states that firmware updates should be approached with caution. Like
any software update, firmware updates can cause devices to malfunction.
Potential risks include loss of device settings, the device going into back-up
mode, reloading of the previous firmware due to a failed upgrade, loss of
diagnostic data, and a complete loss of device functionality. The Abbott
Cybersecurity Medical Advisory Board has reviewed this firmware update and the
associated risk of performing the update in the context of potential
cybersecurity risk.
While not intended to serve as a substitute for clinician judgment as to
whether the firmware update is advisable for a particular patient, the
Cybersecurity Medical Advisory Board recommends the following:
Healthcare providers and patients should discuss the risk and benefits of the
cybersecurity vulnerabilities and associated firmware update during the next
regularly scheduled visit. As part of this discussion, it is important to
consider patient-specific issues such as pacemaker dependence, age of device,
patient preference, and provide patients with the Patient Communication.
Determine if the update is appropriate given the risk of update for the
patient. If deemed appropriate, install this firmware update following the
instructions provided by the manufacturer.
For pacing dependent patients, consider performing the cybersecurity firmware
update in a facility where temporary pacing and pacemaker generator change are
readily available, due to the risk of firmware update malfunction.
Patients and healthcare providers with questions can call the dedicated
hotline at 1-800-722-3774 (U.S.) or visit https://www.sjm.com/cyberupdate for
more information.
The FDA issued a safety communication on August 29, 2017, Firmware Update to
Address Cybersecurity Vulnerabilities Identified in Abbotts (formerly St. Jude
Medicals) Implantable Cardiac Pacemakers: FDA Safety Communication, is
available at the following location:
https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm
a. CWE-287: Improper Authentication,
http://cwe.mitre.org/data/definitions/287.html, web site last accessed August
29, 2017.
b. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12712, NIST
uses this advisory to create the CVE web site report. This web site will be
active sometime after publication of this advisory.
c. CVSS Calculator,
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S...,
web site last accessed August 29, 2017.
d. CWE-920: Improper Restriction of Power Consumption,
http://cwe.mitre.org/data/definitions/920.html, web site last accessed August
29, 2017.
e. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12714, NIST
uses this advisory to create the CVE web site report. This web site will be
active sometime after publication of this advisory.
f. CVSS Calculator,
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S...,
web site last accessed August 29, 2017.
g. CWE-311: Missing Encryption of Sensitive Data,
http://cwe.mitre.org/data/definitions/311.html, web site last accessed August
29, 2017.
h. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12716, NIST
uses this advisory to create the CVE web site report. This web site will be
active sometime after publication of this advisory.
i. CVSS Calculator,
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S...,
web site last accessed August 29, 2017.
Contact Information
For any questions related to this report, please contact ICS-CERT at:
Email: ics-cert@hq.dhs.gov
Toll Free: 1-877-776-7585
International Callers: (208) 526-0900
For industrial control systems security information and incident reporting:
http://ics-cert.us-cert.gov
ICS-CERT continuously strives to improve its products and services. You can
help by choosing one of the links below to provide feedback about this
product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWaYOk4x+lLeg9Ub1AQiZTQ//fnX1GQ+r3MN2jFWPd8yUkRVU1zHvo7Gm
45eAbR1VF4zIX4NeXlRFoIM9DcIrogUsL/FmVgtMuqfBAwjfwNN8GXCy6TY6eK7c
7wWHblb3NRtWECDqqBdGy2wdiuhGVZrlvEzMR5wyHDiUy4l5SdDW599RuISZuWIx
rWNsFwDqe1P0Tr2nTAguhUprTaDmus29Az+wD66y1sy6ZcW3jdNYloLltCXHZnHp
ypKdeJzYSq8lkZVTdnK1zyi2zriFxUg+fX24OKosQUGlVicwLuvlRCUZlh1NBxGC
Qgqd/AVizNjSiqJArOGNwUYb2j4TaZ4FQdFA1mOuUUFGPqDhfL87mOtQoba1pPpg
GWtEALVsYlga+1+nnVbmCDk42zMBYjNNgrB2E56cGyvPxsb5v/c0ZnVRU9xG0vwW
+aana6OaKEC6krYPGunVlD/nSBDqxCU0fOh55A50Joq/jOGePjFYlVTHEUxRqHXG
0NVBKG0p26ISQ0HYrPBGNcVcat34A8mB5hyUR41qVXHu6xNUBAXDq56yaB/XL2TV
A070UB2E9/kEP0Y/fhzA9biORz4MoMWiFCafBj7K3LYI6zWPpbcobgYbRFjSBDGL
OJ65rD4onYZ7xernEhsD1vrAUGyq7gxrk3/pxX74/Ycg2XYirqVjhnzQFR5SCCHl
2sj6ZHW9gds=
=2Vls
-----END PGP SIGNATURE-----