ICSMA-17-241-01_Abbott Laboratories ' Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI Pacemaker Vulnerabilities
Monitor7.5ICS-CERT ICSMA-17-241-01Aug 29, 2017
Attack VectorAdjacent
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
Abbott Laboratories Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI pacemakers contain multiple cryptographic and authentication weaknesses in their wireless communication protocols. The devices do not properly verify the authenticity or integrity of wireless commands, and use weak or no encryption for sensitive data. An attacker within wireless range can forge commands, intercept patient data, or modify device settings without authentication. Devices manufactured prior to August 28, 2017, are affected. No retroactive firmware update is available for implanted devices; only newly manufactured devices with the corrected firmware are safe.
What this means
What could happen
An attacker with wireless access to the pacemaker could intercept and modify commands without authentication, potentially altering therapy settings, disabling alarms, or causing the device to malfunction, which could result in patient injury or death.
Who's at risk
Cardiac care providers using Abbott pacemakers (Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI models) in any clinical setting. Patients with these models implanted prior to August 28, 2017, are at risk.
How it could be exploited
An attacker within wireless range of an affected pacemaker could forge or intercept unencrypted wireless communications to the device. The attacker could send malicious commands that the pacemaker accepts without authentication verification, allowing modification of device settings or therapy parameters.
Prerequisites
- Wireless proximity to the affected pacemaker (typically within 5–10 meters)
- A wireless transceiver capable of communicating on the pacemaker's frequency band
- No authentication credentials required
Remotely exploitable via wirelessNo authentication requiredAffects safety-critical medical devicesNo patch available for devices already implantedLow complexity attackHigh CVSS severity (7.5)
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (4)
4 EOL
ProductAffected VersionsFix Status
Accent/Anthem: manufactured prior to August 28< august 28No fix (EOL)
Accent MRI: manufactured prior to August 28< august 28No fix (EOL)
Assurity MRI: manufactured prior to August 28< august 28No fix (EOL)
Assurity/Allure: manufactured prior to August 28< august 28No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2HARDENINGRestrict wireless access to pacemakers through shielded hospital environments or wireless-blocking facilities where medically appropriate
HARDENINGMaintain close surveillance of patients with affected pacemakers for unexpected device behavior or changes in therapy delivery
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXEnsure pacemakers are implanted with the most recent firmware available (manufactured after August 28, 2017), as no retroactive fix is available for older devices
WORKAROUNDWork with your cardiologist and device supplier to review remote monitoring capabilities and disable wireless features if not clinically necessary
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/d0380ba3-ed95-457f-91e6-20b3ea582d84