FDA Warns Abbott on IoT Vulnerability & More

The FDA delivered a strongly worded warning to Abbott Labs about continuing vulnerabilities and defects in implantable devices.

Cleaning up a mess is never fun. Cleaning up an inherited mess is worse, and that's the position in which Abbott Labs finds itself after a harsh letter of warning from the US FDA.

At issue are the pacemakers and internal defibrillators sold by St. Jude Medical before the company was acquired by Abbott Labs in January 2017. According to the FDA's Warning Letter, St. Jude Medical (now Abbott Labs) has failed to correct previously noted problems in the battery and cybersecurity vulnerabilities in both pacemakers and internal defibrillators. The letter, dated April 12, noted that the company has failed to either correct the problems or implement procedures to insure that they do not recur. In addition, the letter cites Abbott labs for selling a small number of units already under a recall order.

In January, the FDA confirmed that the St. Jude Medical devices contained software with vulnerabilities that could allow an unauthorized third party to gain control of the pacemaker or defibrillator and quickly run down the battery or deliver a series of shocks at the wrong time. At the time, St. Jude said that it had developed a software patch that could be automatically applied to devices through the Merlin@home transmitter each patient uses with the devices. Abbott Labs also said that it was working with both the FDA and DHS to improve device security.

The original vulnerability report, published by investment firm Muddy Waters Research and based on "ethical hacking" from MedSec, was controversial because Muddy Waters released the information, which described vulnerability to man-in-the-middle attacks in the implantable devices, in a statement regarding stock sales and purchases rather than in a private message to either St. Jude Medical or the FDA.

The latest FDA warning letter indicates that Abbott Labs has not dealt with the problem to the satisfaction of the FDA. On a larger scale, this is the sort of IoT security issue that many experts have warned about: critical components containing serious vulnerabilities deployed in difficult-to-update scenarios. Companies that sell IoT systems, as well as those that are their customers, are likely to be watching the interaction of Abbott Labs and the FDA to see how future IoT vulnerabilities will be dealt with by regulators and industry.

— Curtis Franklin, Security Editor, Light Reading

Read more about:

Security Now

About the Author

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and ITWorld.com on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights