• United States

Fixing, upgrading and patching IoT devices can be a real nightmare

Sep 07, 20173 mins
Internet of ThingsSecurity

The recall of almost half a million St. Jude Medical pacemakers highlights the growing importance—and huge risks—of the Internet of Things.

pacemaker xray
Credit: Thinkstock

Ensuring cybersecurity for computers and mobile phones is a huge, complex business. The ever-widening scope and unbelievable variety of threats makes keeping these devices safe from cyber criminals and malware a full-time challenge for companies, governments and individuals around the world.

But at least the vast majority of those devices are easily accessible, safe in the pockets or sitting on the desktops of the very people who want to protect them. The Internet of Things (IoT) devices that need protection, on the other hand, could be almost anywhere: sitting in a remote desert, buried deep in coal mine, built into a giant truck. Or, even implanted inside the human body.

IoT devices in hard-to-reach locations 

This issue was highlighted last week when the FDA issued a letter calling for the voluntary recall of some 465,000 St. Jude Medical pacemakers—currently embedded in heart patients’ chests!—to patch security holes.

The FDA warned that vulnerabilities in the RF-enabled implantable cardiac pacemakers “if exploited, could allow an unauthorized user … to access a patient’s device using commercially available equipment. This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.”

No compromised pacemakers yet

In other words, hackers might be able to run down the battery so the device would prematurely stop working, or they could even affect the patients’ heart rate or rhythm. 


Fortunately, according to Abbott, which now owns St. Jude Medical, no compromised pacemakers have yet been reported. And in the vast majority of cases, the vulnerable firmware can be updated with a simple, three-minute visit to a healthcare provider.


A risky future for IoT devices? 

But things might not turn out so well the next time a critical IoT device in a hard-to-reach place is diagnosed with security or other issues. What if the vulnerable pacemakers had to be removed via open-heart surgery to be patched? What if a patient died during the procedure? 

If that seems too gory, what about if a team had to head out to the desert, or down into that coal mine, or rip apart that giant truck to get to an IoT device? And what if something went wrong in the process, and someone got hurt, or worse? Who would be responsible, legally and otherwise? 

What happens when you can’t fix the IoT device? 

Or look at the problem another way. What if it was decided that getting to that difficult-to-access IoT device was too risky, so the vulnerable — or even compromised — device stayed in place? Whose responsibility would it be to deal with that and minimize any damage it caused? 

These may be largely theoretical questions right now, but it seems certain that they won’t stay hypothetical for long. These kinds of situations are bound to crop up sooner rather than later, and they pose clear and present dangers for IT teams more used to dealing with cyber issues than messy physical problems. 

Bottom line? When working with the Internet of Things, where those things are located can make a big difference — and potentially cause serious new problems for traditional IT teams.


Fredric Paul is Editor in Chief for New Relic, Inc., and has held senior editorial positions at ReadWrite, InformationWeek, CNET, PCWorld and other publications. His opinions are his own.