iOS update bricks medical implant. How to royally screw up embedded programming.

[Jeff_Birt]

I got a letter today concerning a medical implant I have, a neurostimulator. I don't often share such personal information, but this is an interesting case of developers really screwing the pooch and the end user really paying for it in blood.

The original implant I had used a custom-built controller that communicated with the implanted device using a magnetic coupling wand (and was charged the same way). The controller was about the size of a smallish smart phone. It ran on 3 AAA cells which lasted 1.5~2 years. This worked fine for 10+ years but the rechargeable batteries in the implant reached EOL and thus I had a new model implanted about 5 years ago.

The new model works at a higher frequency (20khz), in a pulsed manner. Since you can't feel the 20khz signal the output is pulsed allowing a non-rechargeable battery pack to be used. This makes it smaller and without the need for a magnetic coupling for recharging they changed to using a Bluetooth connection with an iPod Touch as a control device. This does make for a handy controller, but you have to recharge the iPod about once every ten days even with very, very, very light use.

At the time I got this new model the nurse said, "Oh you can put other programs on the iPod if you want!". Thinking this was a terrible idea I have never connected it by WiFi. Having your medical device online is the worst idea EVER!

So, back to the letter received today. Normally you cannot have an MRI with such a device implanted. This unit has the ability to be placed in a safe mode so that neither you nor it is damaged by the MRI. The letter informed me that if the implant is put into 'MRI mode' and then one of the following situations occur you will not be able to turn off MRI mode and will need to have the implant surgically replaced!

1) Controller loss/damaged
2) Controller is locked and you lose/forget the PW
3) Controller app or iOS is updated while in MRI mode
4) Bluetooth connection is deleted from iPod

So, an automatic SW update can cause you to lose control of your medical implant!!!!!!!!!! Or, you accidently drop and damage the iPod when you pick it up to turn off MRI mode, etc. Between 2015 and 2023 this has happened to 75 people worldwide.

Normally the nurse working for the implant company can use an iPad to talk to the implant as long as you have your controller iPod in range. Thus, it can be reprogrammed, etc. Reading between the lines it seems that there must be additional security measures used which in MRI mode to ensure that a foreign controller can't cause problems (unintentional or not.) OK, but what genius thought it was a good idea to node lock the implant to an iOS version, etc.? If you needed to do so, would you not consider what could alter the IDs you were using.?

Using various system IDs to generate a unique ID for a node lock is not a new idea by any stretch. Having the system IDs changed by software updates, or hardware changes, etc. is also not uncommon. Years ago, I did some contract programming work for a dedicated purpose CAD/CAM application and having system IDs changing with system software updates was far more common than we liked. The solution was to allow the end user to easily create a new license key via the company website. This was not perfect, but it only took 5min to generate a new key. I am astounded that a medical device managed to make it all the way through production, QC and all the worldwide medical review agencies without a single person thinking about this. I also suspect the letter was sent as there is a class action lawsuit brewin