Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2157 Abbott Laboratories Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI Pacemaker Vulnerabilities 30 August 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Abbott Laboratories Accent/Anthem Abbott Laboratories Accent MRI Abbott Laboratories Assurity/Allure Abbott Laboratories Assurity MRI Publisher: ICS-CERT Operating System: Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-12716 CVE-2017-12714 CVE-2017-12712 Original Bulletin: https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01 - --------------------------BEGIN INCLUDED TEXT-------------------- Advisory (ICSMA-17-241-01) Abbott Laboratories Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI Pacemaker Vulnerabilities Original release date: August 29, 2017 Legal Notice All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/. OVERVIEW MedSec Holdings Ltd has identified vulnerabilities in Abbott Laboratories (formerly St. Jude Medical) pacemakers. Abbott has produced a firmware patch to help mitigate the identified vulnerabilities in their pacemakers that utilize radio frequency (RF) communications. A third-party security research firm has verified that the new firmware version mitigates the identified vulnerabilities. The Food and Drug Administration (FDA) released a safety communication on August 29, 2017, Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbotts (formerly St. Jude Medicals) Implantable Cardiac Pacemakers: FDA Safety Communication, regarding the identified vulnerabilities and corresponding mitigation. In response, ICS-CERT is releasing this advisory to provide additional detail to patients and healthcare providers. AFFECTED PRODUCTS The following pacemakers manufactured prior to August 28, 2017, are affected: Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI. IMPACT Successful exploitation of these vulnerabilities may allow a nearby attacker to gain unauthorized access to a pacemaker and issue commands, change settings, or otherwise interfere with the intended function of the pacemaker. BACKGROUND Abbott is a US-based company headquartered in Abbott Park, Illinois. The affected pacemakers are implantable medical devices designed to deliver electrical pulses to correct a slow heartbeat or no heartbeat at all. According to Abbott, these pacemakers are deployed across the Healthcare and Public Health sector. Abbott indicates that these products are used worldwide; however, Accent and Anthem are no longer sold in the US. VULNERABILITY CHARACTERIZATION VULNERABILITY OVERVIEW IMPROPER AUTHENTICATION[a] The pacemaker's authentication algorithm, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications. CVE-2017-12712[b] has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).[c] IMPROPER RESTRICTION OF POWER CONSUMPTION[d] The pacemakers do not restrict or limit the number of correctly formatted RF wake-up commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life. CVE-2017-12714[e] has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).[f] MISSING ENCRYPTION OF SENSITIVE DATA[g] The Accent and Anthem pacemakers transmit unencrypted patient information via RF communications to programmers and home monitoring units. The Assurity and Allure pacemakers do not contain this vulnerability. Additionally, the Accent and Anthem pacemakers store the optional patient information without encryption; however, the Assurity and Allure pacemakers encrypt stored patient information. CVE-2017-12716[h] has been assigned to this vulnerability. A CVSS v3 base score of 3.1 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).[i] VULNERABILITY DETAILS EXPLOITABILITY These vulnerabilities could be exploited via an adjacent network. Exploitability is dependent on an attacker being sufficiently close to the target pacemaker as to allow RF communications. EXISTENCE OF EXPLOIT Exploitation of vulnerabilities has been publicly demonstrated; however, exploit code is not publicly available. DIFFICULTY An attacker with high skill would be able to exploit these vulnerabilities. MITIGATION Abbott has developed a firmware update to help mitigate the identified vulnerabilities. The version numbers of the firmware update for each product family are as follows: Accent/Anthem, Version F0B.0E.7E, Accent MRI/Accent ST, Version F10.08.6C, Assurity/Allure, Version F14.07.80, and Assurity MRI, Version F17.01.49. The pacemaker firmware update will implement RF wake-up protections and limit the commands that can be issued to pacemakers via RF communications. Additionally the updated pacemaker firmware will prevent unencrypted transmission of patient information (Accent and Anthem only). The firmware update can be applied to an implanted pacemaker via the Merlin PCS Programmer by a healthcare provider. It is recommended that healthcare providers discuss this update with their patients and carefully consider the potential risk of a cybersecurity attack along with the risk of performing a firmware update. Implementation of the firmware update is to be determined based on the physician's professional judgment and patient management considerations. Pacemakers manufactured beginning August 28, 2017, will have this update preloaded on devices. Abbott states that firmware updates should be approached with caution. Like any software update, firmware updates can cause devices to malfunction. Potential risks include loss of device settings, the device going into back-up mode, reloading of the previous firmware due to a failed upgrade, loss of diagnostic data, and a complete loss of device functionality. The Abbott Cybersecurity Medical Advisory Board has reviewed this firmware update and the associated risk of performing the update in the context of potential cybersecurity risk. While not intended to serve as a substitute for clinician judgment as to whether the firmware update is advisable for a particular patient, the Cybersecurity Medical Advisory Board recommends the following: Healthcare providers and patients should discuss the risk and benefits of the cybersecurity vulnerabilities and associated firmware update during the next regularly scheduled visit. As part of this discussion, it is important to consider patient-specific issues such as pacemaker dependence, age of device, patient preference, and provide patients with the Patient Communication. Determine if the update is appropriate given the risk of update for the patient. If deemed appropriate, install this firmware update following the instructions provided by the manufacturer. For pacing dependent patients, consider performing the cybersecurity firmware update in a facility where temporary pacing and pacemaker generator change are readily available, due to the risk of firmware update malfunction. Patients and healthcare providers with questions can call the dedicated hotline at 1-800-722-3774 (U.S.) or visit https://www.sjm.com/cyberupdate for more information. The FDA issued a safety communication on August 29, 2017, Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbotts (formerly St. Jude Medicals) Implantable Cardiac Pacemakers: FDA Safety Communication, is available at the following location: https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm a. CWE-287: Improper Authentication, http://cwe.mitre.org/data/definitions/287.html, web site last accessed August 29, 2017. b. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12712, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. c. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S..., web site last accessed August 29, 2017. d. CWE-920: Improper Restriction of Power Consumption, http://cwe.mitre.org/data/definitions/920.html, web site last accessed August 29, 2017. e. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12714, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. f. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S..., web site last accessed August 29, 2017. g. CWE-311: Missing Encryption of Sensitive Data, http://cwe.mitre.org/data/definitions/311.html, web site last accessed August 29, 2017. h. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12716, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. i. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S..., web site last accessed August 29, 2017. Contact Information For any questions related to this report, please contact ICS-CERT at: Email: ics-cert@hq.dhs.gov Toll Free: 1-877-776-7585 International Callers: (208) 526-0900 For industrial control systems security information and incident reporting: http://ics-cert.us-cert.gov ICS-CERT continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWaYOk4x+lLeg9Ub1AQiZTQ//fnX1GQ+r3MN2jFWPd8yUkRVU1zHvo7Gm 45eAbR1VF4zIX4NeXlRFoIM9DcIrogUsL/FmVgtMuqfBAwjfwNN8GXCy6TY6eK7c 7wWHblb3NRtWECDqqBdGy2wdiuhGVZrlvEzMR5wyHDiUy4l5SdDW599RuISZuWIx rWNsFwDqe1P0Tr2nTAguhUprTaDmus29Az+wD66y1sy6ZcW3jdNYloLltCXHZnHp ypKdeJzYSq8lkZVTdnK1zyi2zriFxUg+fX24OKosQUGlVicwLuvlRCUZlh1NBxGC Qgqd/AVizNjSiqJArOGNwUYb2j4TaZ4FQdFA1mOuUUFGPqDhfL87mOtQoba1pPpg GWtEALVsYlga+1+nnVbmCDk42zMBYjNNgrB2E56cGyvPxsb5v/c0ZnVRU9xG0vwW +aana6OaKEC6krYPGunVlD/nSBDqxCU0fOh55A50Joq/jOGePjFYlVTHEUxRqHXG 0NVBKG0p26ISQ0HYrPBGNcVcat34A8mB5hyUR41qVXHu6xNUBAXDq56yaB/XL2TV A070UB2E9/kEP0Y/fhzA9biORz4MoMWiFCafBj7K3LYI6zWPpbcobgYbRFjSBDGL OJ65rD4onYZ7xernEhsD1vrAUGyq7gxrk3/pxX74/Ycg2XYirqVjhnzQFR5SCCHl 2sj6ZHW9gds= =2Vls -----END PGP SIGNATURE-----