Abbott Laboratories Defibrillator

Plan Patch7.5ICS-CERT ICSMA-18-107-01Apr 17, 2018

Attack VectorAdjacent

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Abbott Laboratories implanted defibrillators (ICDs and CRT-Ds) manufactured before April 2018 contain authentication bypass vulnerabilities in their wireless RF communication protocol. A nearby attacker can exploit these vulnerabilities to send unauthorized commands to the device, potentially disabling therapy, changing settings, or interfering with the device's function. The vulnerabilities affect Fortify, Fortify Assura, Quadra Assura, Quadra Assura MP, Unify, Unify Assura, Unify Quadra, Promote Quadra, Ellipse, Promote, and Current models. Abbott has released a firmware update that must be applied via the Merlin PCS Programmer at a healthcare facility. Devices manufactured April 25, 2018 or later have the fix preloaded.

What this means

What could happen

An attacker within wireless range could send commands to an implanted defibrillator, potentially disabling therapy delivery, changing device settings, or interfering with its critical life-support function. The risk of update-induced malfunction (including loss of defibrillation capability) must be weighed against the cybersecurity threat.

Who's at risk

This vulnerability affects implanted cardiac devices (ICDs and CRT-Ds) from Abbott, including Fortify, Fortify Assura, Quadra, Quadra Assura, Promote, Unify, Ellipse, and other models manufactured before April 2018. Affected parties include hospitals, cardiology clinics, and patients with implanted devices who rely on these devices for life-saving therapy delivery.

How it could be exploited

An attacker with knowledge of the wireless RF protocol and device identifiers could position themselves within range of a patient's implanted ICD or CRT-D and send unauthorized commands by bypassing authentication mechanisms, without needing any valid credentials or device access.

Prerequisites

Attacker must be within wireless RF communication range of the implanted device (typically within ~10 meters depending on environment)
Knowledge of the target device's RF communication protocol
No valid credentials or authentication required

remotely exploitableno authentication requiredlow complexity attackaffects safety-critical medical deviceno patch available for older manufactured devices

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (11)

11 with fix

ProductAffected VersionsFix Status

Fortify: manufactured and distributed prior to April 1 2018distributed < april 1, 2018firmware update available (devices mfg. April 25, 2018 or later have preload)

Promote Quadra: manufactured and distributed prior to April 1 2018distributed < april 1, 2018firmware update available (devices mfg. April 25, 2018 or later have preload)

Unify Quadra: manufactured and distributed prior to April 1 2018distributed < april 1, 2018firmware update available (devices mfg. April 25, 2018 or later have preload)

Unify: manufactured and distributed prior to April 1 2018distributed < april 1, 2018firmware update available (devices mfg. April 25, 2018 or later have preload)

Ellipse: manufactured and distributed prior to April 1 2018distributed < april 1, 2018firmware update available (devices mfg. April 25, 2018 or later have preload)

Current: manufactured and distributed prior to April 1 2018distributed < april 1, 2018firmware update available (devices mfg. April 25, 2018 or later have preload)

Quadra Assura MP: manufactured and distributed prior to April 1 2018distributed < april 1, 2018firmware update available (devices mfg. April 25, 2018 or later have preload)

Quadra Assura: manufactured and distributed prior to April 1 2018distributed < april 1, 2018firmware update available (devices mfg. April 25, 2018 or later have preload)

Remediation & Mitigation

0/3

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply Abbott firmware update to implanted ICD/CRT-D devices via Merlin PCS Programmer at next regularly scheduled patient visit

Long-term hardening

0/2

HARDENINGCoordinate with cardiology/healthcare provider to perform firmware update during patient care visit; evaluate patient-specific risk/benefit given potential for incomplete upgrade or back-up pacing mode activation

HARDENINGFor devices manufactured before April 25, 2018, track device serial numbers and ensure eligible patients are identified for update

CVEs (2)

CVE-2017-12712 CVE-2017-12714

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5c113d57-b8af-4e07-94a8-4ab339f1019d