Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.1182
Advisory (ICSMA-18-107-01) - Abbott Laboratories Defibrillator
18 April 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Abbott Laboratories Defibrillator
Publisher: ICS-CERT
Operating System: Network Appliance
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2017-12714 CVE-2017-12712
Reference: ESB-2017.2157
Original Bulletin:
https://ics-cert.us-cert.gov/advisories/ICSMA-18-107-01
- --------------------------BEGIN INCLUDED TEXT--------------------
Advisory (ICSMA-18-107-01)
Abbott Laboratories Defibrillator
Legal Notice
All information products included in http://ics-cert.us-cert.gov are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see http://www.us-cert.gov/tlp/.
1. EXECUTIVE SUMMARY
CVSS v3 7.5
ATTENTION: Exploitable remotely
Vendor: Abbott Laboratories
Equipment: Implantable Cardioverter Defibrillator and Cardiac
Synchronization Therapy Defibrillator
Vulnerabilities: Improper Authentication and Improper Restriction of Power
Consumption
MedSec Holdings Ltd., has identified vulnerabilities in Abbott Laboratories'
(formerly St. Jude Medical) Implantable Cardioverter Defibrillator (ICD) and
Cardiac Synchronization Therapy Defibrillator (CRT-D). Abbott has produced
firmware updates to help mitigate identified vulnerabilities in their eligible
ICDs and CRT-Ds that utilize radio frequency (RF) communications. A third-party
security research firm has verified the new firmware updates mitigate the
identified vulnerabilities.
The Food and Drug Administration (FDA) released a safety communication on April
17, 2018, titled "Battery Performance Alert and Cybersecurity Firmware Updates
for Certain Abbott (formerly St. Jude Medical) Implantable Cardiac Devices: FDA
Safety Communication," regarding the identified vulnerabilities and
corresponding mitigation. In response, NCCIC is releasing this advisory to
provide additional detail to patients and healthcare providers.
2. RISK EVALUATION
Successful exploitation of these vulnerabilities may allow a nearby attacker to
gain unauthorized access to an ICD to issue commands, change settings, or
otherwise interfere with the intended function of the ICD.
Impact to individual organizations depends on many factors unique to each
organization. NCCIC recommends that organizations evaluate the impact of these
vulnerabilities based on their operational environment and specific clinical
usage.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following ICDs and CRT-Ds manufactured and distributed prior to April 19,
2018, are affected:
Fortify,
Fortify Assura,
Quadra Assura,
Quadra Assura MP,
Unify,
Unify Assura,
Unify Quadra,
Promote Quadra,
Ellipse,
Current,
Promote.
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER AUTHENTICATION CWE-287
The device's authentication algorithm, which involves an authentication key and
time stamp, can be compromised or bypassed, which may allow a nearby attacker
to issue unauthorized commands to the ICD or CRT-D via RF communications.
CVE-2017-12712 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is
(AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.2.2 IMPROPER RESTRICTION OF POWER CONSUMPTION CWE-920
The ICDs and CRT-Ds do not restrict or limit the number of correctly formatted
"RF wake-up" commands that can be received, which may allow a nearby attacker
to repeatedly send commands to reduce device battery life.
CVE-2017-12714 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is
(AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
Abbott is a U.S.-based company headquartered in Abbott Park, Illinois.
The affected ICDs and CRT-Ds are implantable medical devices designed to
deliver high voltage electrical pulses to correct a fast or irregular
heartbeat. According to Abbott, these devices are deployed across the
healthcare and public health sector. Abbott indicates that these products are
used worldwide.
3.3 BACKGROUND
Abbott is a U.S.-based company headquartered in Abbott Park, Illinois.
The affected ICDs and CRT-Ds are implantable medical devices designed to
deliver high voltage electrical pulses to correct a fast or irregular
heartbeat. According to Abbott, these devices are deployed across the
healthcare and public health sector. Abbott indicates that these products are
used worldwide.
3.4 RESEARCHER
MedSec Holdings Ltd., reported these vulnerabilities to Abbott Laboratories and
NCCIC.
4. MITIGATIONS
Abbott has developed a firmware update to help mitigate the identified
vulnerabilities.
The firmware update provides additional security to reduce the risk of
unauthorized access by bypassing authentication to the following high voltage
device families that utilize wireless radio frequency (RF) communication:
Fortify, Fortify Assura, Quadra Assura, Quadra Assura MP, Unify, Unify Assura,
Unify Quadra, Promote Quadra, and Ellipse.
The firmware update can be applied to an eligible implanted ICD or CRT-D via
the Merlin PCS Programmer by a healthcare provider. Abbott and FDA have
recommended the update to all eligible patients at the next regularly scheduled
visit or when appropriate depending on the preferences of the patient and
physician. ICDs and CRT-Ds manufactured beginning April 25, 2018, will have
these updates preloaded on devices.
Abbott states that firmware updates should be approached with caution. As with
any software update, firmware updates can cause devices to malfunction.
Potential risks include discomfort due to back-up VVI pacing settings,
reloading of previous firmware version due to incomplete upgrade, inability to
treat VT/VF while in back-up mode given high voltage therapy is disabled,
device remaining in back-up mode due to unsuccessful upgrade, and loss of
currently-programmed device settings or diagnostic data. The Abbott
Cybersecurity Medical Advisory Board has reviewed this firmware update and the
associated risk of performing the update in the context of potential
cybersecurity risk.
While not intended to serve as a substitute for clinician judgment as to
whether the firmware update is advisable for a particular patient, the
Cybersecurity Medical Advisory Board recommends the following:
- Healthcare providers and patients should discuss the risks and benefits
of the cybersecurity vulnerabilities and associated firmware update
during the next regularly scheduled visit or when appropriate depending
on the preferences of the patient and physician. As part of this
discussion, it is important to consider patient-specific issues such as
pacemaker dependence, frequency of high voltage therapy, age of device,
patient preference, and provide patients with the "Patient
Communication."
- Determine if the update is appropriate given the risk of update for the
patient. If deemed appropriate, install this firmware update following
the instructions provided by the manufacturer.
- The cybersecurity firmware update should be performed in a facility where
appropriate monitoring and external defibrillation are readily available.
Abbott's older generation devices (i.e., Current and Promote) are not capable
of accepting the firmware update due to technology limitations. If healthcare
providers and patients have any concerns relating to device cybersecurity for
those patients implanted with Current/Promote devices, providers have the
option to permanently disable the RF communication capability in the device.
However, if this option is selected, the patient can no longer be monitored
remotely using an RF Merlin@home transmitter. For most patients, permanently
disabling RF is not advisable given the proven benefits and improved survival
associated with home monitoring.
Therefore, the Medical Advisory Boards recommends the following:
- Healthcare providers and patients should discuss the risks of
cybersecurity vulnerabilities and benefits of remote monitoring at the
next regularly scheduled visit or when appropriate depending on the
preferences of the patient and physician.
- If deemed appropriate, RF communication may be permanently disabled
during an in-clinic device interrogation with the Merlin programmer
software.
Patients and healthcare providers with questions can call the dedicated hotline
at 1-800-722-3774 (U.S.) or visit https://www.sjm.com/cyberupdate for more
information.
Battery Performance Alert and Cybersecurity Firmware Updates for Certain Abbott
(formerly St. Jude Medical) Implantable Cardiac Devices: FDA Safety
Communication: FDA Safety Communication is available at the following location:
https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm604706.htm
NCCIC reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
NCCIC also provides a section for control systems security recommended
practices on the ICS-CERT web page. Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available
in the ICS-CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber
Intrusion Detection and Mitigation Strategies, that is available for download
from the ICS-CERT website.
No known public exploits specifically target these vulnerabilities. High skill
level is needed to exploit.
Contact Information
For any questions related to this report, please contact the NCCIC at:
Email: NCCICCUSTOMERSERVICE@hq.dhs.gov Toll Free: 1-888-282-0870
For industrial control systems cybersecurity information:
http://ics-cert.us-cert.gov or incident reporting:
https://ics-cert.us-cert.gov/Report-Incident?
The NCCIC continuously strives to improve its products and services. You can
help by choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWta8Fox+lLeg9Ub1AQjd2Q/+M+3rTcy5UgWpWpl8WdL1RXL2Pb2RW+wR
wLZotI5euPzxXL1Fk10fge/h45RtWJbVTU3gi5DW3Clrc2Ok7AYdqC7Sv7CaKN08
95Y2OeIe51rxWj1lL4vg7sq5JgeNi9F+q4mlPP/J6EVcJRRnRLtG0kImJGIu9Phv
VSvPc/mkSlHoArFSt2vkf394FOkVcOGrcY1WcELKxOlYwzJ3WXeLiy33MR3QYGYg
cufzLCufD2OyCtdpl2OGTvyBMjmHdTXUXrzo2AEzVFGdhL10/xwi6Mv6MBpAg/yX
mFn4F+La/OcBha5akUTgE3AHBbHqkFzaR22O+zRnbGfuHXgDfO1iNKqHi4kl+zEM
l1TZTcldygTKtahZkMN1pclRnJkRVAVe3IMdR6tmE3D3rMhHqrlenEv2O2UyDuZt
hDpsKXcYHMTnVynl/GvRxsCHBssadPfWmGlxDR1/GTV84Cxq/sB7nr4Wh2gDqV11
OPmXIlatTGkZExOy4ebyhpMNdPmaXhnHFK8m+bH6QFlk1bIMqfzi/ulxmvJLZaye
oM3m/+7Zy8bNtMfWjMq/LIe89nvizk36V4Kh+bJtJSkIozSyDuIJh+UhpifCe8yx
vpTTFwFjaIj9z9I2nv6yS4ptixeDASYTZcd0Fu8AD59Yhy3unXrLO2Q0vctTMODD
BKax8G45Y5k=
=rK+0
-----END PGP SIGNATURE-----