Cyber Emergency Response Team, Advisory: Abbot Laboratories' Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI Pacemaker Vulnerabilities , August 29, 2017. Unclassified.
National Security Archive
A 2017 DHS advisory reveals how a nearby attacker could hijack Abbott’s pacemakers, sparking the first coordinated public‑private response to a life‑critical cyber‑vulnerability.
Source: Cyber Emergency Response Team, Advisory: Abbot Laboratories' Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI Pacemaker Vulnerabilities , August 29, 2017. Unclassified. Date: Aug 29, 2017 Archive: Cyber Emergency Response Team Collection: Cyber Vault: First Responders Targeted Sep 13, 2017
Editorial Analysis
Original analysis by the DriftSeas editorial desk. The complete primary-source document, transcribed from the National Security Archive scan, appears in full below.
A cyber‑alert from the front lines of medical device security
On August 29, 2017 the Industrial Control Systems Cyber Emergency Response Team (ICS‑CERT), a DHS‑run unit that monitors vulnerabilities in critical infrastructure, issued advisory ICSMA‑17‑241‑01. The notice was a direct reaction to a coordinated disclosure by MedSec Holdings Ltd, a private security firm that had uncovered a trio of flaws in Abbott Laboratories’ implantable cardiac pacemakers – the Accent/Anthem, Accent MRI, Assurity/Allure and Assurity MRI families. The timing is significant: the same day the Food and Drug Administration (FDA) published a safety communication urging users to install a firmware patch. The document therefore captures a rare moment when a federal regulator, a private‑sector manufacturer, and a national‑level cyber‑response agency converged on a single, life‑critical product.
The broader episode: the rise of ‘cyber‑physical’ medicine
The Abbott advisory sits at the nexus of two historic trends. First, the rapid integration of wireless telemetry into implantable devices – a development that began in the early 2000s and accelerated after the 2015 FDA guidance on post‑market cybersecurity. Second, the emergence of a nascent public‑private partnership model for vulnerability disclosure, exemplified by MedSec’s responsible reporting to Abbott, the FDA’s safety alert, and the DHS‑run CERT’s public advisory. Together these elements marked a shift from treating medical devices as isolated, immutable hardware to viewing them as software‑driven platforms that must be patched, monitored, and defended much like a corporate IT system.
Who said what, and why it matters
The advisory’s language is clinical yet urgent: it flags “improper authentication” that could let a nearby attacker issue commands, and “improper restriction of power consumption” that could drain a pacemaker’s battery. By assigning CVE identifiers (CVE‑2017‑12712, ‑12714, ‑12716) and CVSS scores ranging from 3.1 to 7.5, the CERT anchors the medical risk in the same quantitative framework used for industrial control systems. This cross‑domain framing signals to hospitals, device manufacturers, and the broader cybersecurity community that a breach of a heart‑stimulating device is not a theoretical concern but a concrete, exploitable threat.
The document also reveals the delicate balance Abbott had to strike. While it lauds the firmware update as a mitigation, it cautions that any update carries the risk of device malfunction – loss of settings, backup mode activation, or even total loss of function. By foregrounding physician discretion (“implementation of the firmware update is to be determined based on the physician’s professional judgment”), the advisory underscores a core tension in medical cyber‑risk management: the trade‑off between immediate security and the potential for iatrogenic harm.
Reading between the lines
Several subtleties emerge from the advisory’s structure. The repeated emphasis on “adjacent network” exploitability hints at the agency’s awareness that a true remote attack is unlikely; the threat model centers on an attacker physically near the patient – a scenario more plausible in a hospital or care‑facility setting than in a private home. Yet the inclusion of a “Traffic Light Protocol” header signals that the document was intended for controlled dissemination among a trusted network of responders, not for mass public consumption. This reflects the early stage of a policy debate on how transparent vulnerability information should be when lives are at stake.
The advisory’s mention of a “third‑party security research firm” that verified the patch, without naming the firm, suggests a deliberate effort to protect the identities of researchers who often operate under non‑disclosure agreements. It also points to a growing ecosystem of independent security labs that have become de‑facto gatekeepers for medical device safety – a role previously occupied solely by regulators.
Legacy and why it still matters
Four years later, the Abbott advisory is cited in academic studies of medical device cybersecurity and in policy briefs urging mandatory “software‑as‑a‑medical‑device” regulations. It set a precedent for the FDA’s later 2020 guidance requiring manufacturers to submit a “cybersecurity pre‑market review” and a post‑market vulnerability management plan. Moreover, the incident helped catalyze the formation of the Medical Device Innovation, Safety and Security (MDISS) consortium, a multi‑stakeholder forum that now drafts best‑practice standards for secure device lifecycles.
In an era where ransomware attacks on hospitals dominate headlines, the 2017 advisory reminds us that the most damaging breach may not cripple a network but silently alter the rhythm of a patient’s heartbeat. The document’s blend of technical detail, regulatory coordination, and cautious risk communication continues to shape how we think about protecting the body’s most intimate cyber‑interfaces.
9/6/2017 Abbott Laboratories' Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI Pacemaker Vulnerabilities | ICS-CERT
# Advisory (ICSMA-17-241-01)
## Abbott Laboratories' Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI Pacemaker Vulnerabilities
Original release date: August 29, 2017
### Legal Notice
All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.
---
### OVERVIEW
MedSec Holdings Ltd has identified vulnerabilities in Abbott Laboratories' (formerly St. Jude Medical) pacemakers. Abbott has produced a firmware patch to help mitigate the identified vulnerabilities in their pacemakers that utilize radio frequency (RF) communications. A third-party security research firm has verified that the new firmware version mitigates the identified vulnerabilities.
The Food and Drug Administration (FDA) released a safety communication on August 29, 2017, Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott's (formerly St. Jude Medical's) Implantable Cardiac Pacemakers: FDA Safety Communication, regarding the identified vulnerabilities and corresponding mitigation. In response, ICS-CERT is releasing this advisory to provide additional detail to patients and healthcare providers.
### AFFECTED PRODUCTS
The following pacemakers manufactured prior to August 28, 2017, are affected:
* Accent/Anthem,
* Accent MRI,
* Assurity/Allure, and
* Assurity MRI.
### IMPACT
Successful exploitation of these vulnerabilities may allow a nearby attacker to gain unauthorized access to a pacemaker and issue commands, change settings, or otherwise interfere with the intended function of the pacemaker.
### BACKGROUND
Abbott is a US-based company headquartered in Abbott Park, Illinois.
The affected pacemakers are implantable medical devices designed to deliver electrical pulses to correct a slow heartbeat or no heartbeat at all. According to Abbott, these pacemakers are deployed across the Healthcare and Public Health sector. Abbott indicates that these products are used worldwide; however, Accent and Anthem are no longer sold in the US.
### VULNERABILITY CHARACTERIZATION
#### VULNERABILITY OVERVIEW
**IMPROPER AUTHENTICATIONᵃ**
The pacemaker's authentication algorithm, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications.
CVE-2017-12712ᵇ has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
**IMPROPER RESTRICTION OF POWER CONSUMPTIONᵈ**
The pacemakers do not restrict or limit the number of correctly formatted "RF wake-up" commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life.
CVE-2017-12714ᵉ has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
**MISSING ENCRYPTION OF SENSITIVE DATAᵍ**
The Accent and Anthem pacemakers transmit unencrypted patient information via RF communications to programmers and home monitoring units. The Assurity and Allure pacemakers do not contain this vulnerability. Additionally, the Accent and Anthem pacemakers store the optional patient information without encryption; however, the Assurity and Allure pacemakers encrypt stored patient information.
CVE-2017-12716ʰ has been assigned to this vulnerability. A CVSS v3 base score of 3.1 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).ⁱ
#### VULNERABILITY DETAILS
**EXPLOITABILITY**
These vulnerabilities could be exploited via an adjacent network. Exploitability is dependent on an attacker being sufficiently close to the target pacemaker as to allow RF communications.
https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01
1/3
9/6/2017 Abbott Laboratories' Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI Pacemaker Vulnerabilities | ICS-CERT
EXISTENCE OF EXPLOIT
Exploitation of vulnerabilities has been publicly demonstrated; however, exploit code is not publicly available.
DIFFICULTY
An attacker with high skill would be able to exploit these vulnerabilities.
MITIGATION
Abbott has developed a firmware update to help mitigate the identified vulnerabilities. The version numbers of the firmware update for each product family are as follows:
- Accent/Anthem, Version F0B.0E.7E,
- Accent MRI/Accent ST, Version F10.08.6C,
- Assurity/Allure, Version F14.07.80, and
- Assurity MRI, Version F17.01.49.
The pacemaker firmware update will implement "RF wake-up" protections and limit the commands that can be issued to pacemakers via RF communications. Additionally the updated pacemaker firmware will prevent unencrypted transmission of patient information (Accent and Anthem only). The firmware update can be applied to an implanted pacemaker via the Merlin PCS Programmer by a healthcare provider. It is recommended that healthcare providers discuss this update with their patients and carefully consider the potential risk of a cybersecurity attack along with the risk of performing a firmware update. Implementation of the firmware update is to be determined based on the physician's professional judgment and patient management considerations. Pacemakers manufactured beginning August 28, 2017, will have this update preloaded on devices.
Abbott states that firmware updates should be approached with caution. Like any software update, firmware updates can cause devices to malfunction. Potential risks include loss of device settings, the device going into back-up mode, reloading of the previous firmware due to a failed upgrade, loss of diagnostic data, and a complete loss of device functionality. The Abbott Cybersecurity Medical Advisory Board has reviewed this firmware update and the associated risk of performing the update in the context of potential cybersecurity risk.
While not intended to serve as a substitute for clinician judgment as to whether the firmware update is advisable for a particular patient, the Cybersecurity Medical Advisory Board recommends the following:
- Healthcare providers and patients should discuss the risk and benefits of the cybersecurity vulnerabilities and associated firmware update during the next regularly scheduled visit. As part of this discussion, it is important to consider patient-specific issues such as pacemaker dependence, age of device, patient preference, and provide patients with the "Patient Communication."
- Determine if the update is appropriate given the risk of update for the patient. If deemed appropriate, install this firmware update following the instructions provided by the manufacturer.
- For pacing dependent patients, consider performing the cybersecurity firmware update in a facility where temporary pacing and pacemaker generator change are readily available, due to the risk of firmware update malfunction.
Patients and healthcare providers with questions can call the dedicated hotline at 1-800-722-3774 (U.S.) or visit https://www.sjm.com/cyberupdate for more information.
The FDA issued a safety communication on August 29, 2017, Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott's (formerly St. Jude Medical's) Implantable Cardiac Pacemakers: FDA Safety Communication, is available at the following location:
https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm
a. CWE-287: Improper Authentication, http://cwe.mitre.org/data/definitions/287.html, web site last accessed August 29, 2017. b. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12712, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. c. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:..., web site last accessed August 29, 2017. d. CWE-920: Improper Restriction of Power Consumption, http://cwe.mitre.org/data/definitions/920.html, web site last accessed August 29, 2017. e. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12714, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. f. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:..., web site last accessed August 29, 2017. g. CWE-311: Missing Encryption of Sensitive Data, http://cwe.mitre.org/data/definitions/311.html, web site last accessed August 29, 2017. h. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12716, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. i. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:..., web site last accessed August 29, 2017.
Contact Information
For any questions related to this report, please contact ICS-CERT at:
Email: ics-cert@hq.dhs.gov Toll Free: 1-877-776-7585 International Callers: (208) 526-0900
For industrial control systems security information and incident reporting: http://ics-cert.us-cert.gov
9/6/2017 Abbott Laboratories' Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI Pacemaker Vulnerabilities | ICS-CERT ICS-CERT continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01 3/3
NATIONAL SECURITY ARCHIVE
National Security Archive, Suite 701, Gelman Library, The George Washington University, 2130 H Street, NW, Washington, D.C., 20037, Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu
Keywords
Sources & References
- [1]Cyber Emergency Response Team, Advisory: Abbot Laboratories' Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI Pacemaker Vulnerabilities , August 29, 2017. Unclassified.
- [2]https://www.sjm.com/cyberupdate
- [3]https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm
- [4]http://cwe.mitre.org/data/definitions/287.html
- [5]http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12712
- [6]https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S
- [7]http://cwe.mitre.org/data/definitions/920.html
- [8]http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12714
- [9]http://cwe.mitre.org/data/definitions/311.html
- [10]http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12716
- [11]http://ics-cert.us-cert.gov
- [12]https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01