What pacemaker communicates via blue tooth? Last I checked they all used induction telemetry (which requires the telemetry wand to be within several inches of the device) or MICS band radio for distance telemetry. I think some Boston Scientific devices used 900MHz at one time, but how many of those are still in the wild?
The only instances of "hacking" a pacemaker (or ICD) have been when researchers used a programmer from the manufacturer to "hack" the device.
So it seems super unlikely you know a blue tooth zero day for a pacer.
You would need to be specific about which one of the linked documents you meant, there were several. All the hacking attempts started off with a manufacturer's programmer and worked back from there. In the example using a software radio, the researchers were able to replay sniffed commands to the device after it had been activated by the programmer.
Which of the reports talked about a device being compromised without using a manufacturers programmer?
>"We implemented several active [replay] attacks using [only] the USRP and a BasicTX daughterboard to transmit on the 175 kHz band." //
Yes, they used a programmer for reverse engineering purposes but from my - admittedly brief - look at the paper it seemed they performed active attacks (page 8(A) onwards) without using the programmer.
So they previously used a programmer but the attacks were performed without one. Assumed true it seems a reasonable PoC that contradicts the essence of your statement which seemed to say all "hacks" needed a manufacturers programmer to perform.
The only instances of "hacking" a pacemaker (or ICD) have been when researchers used a programmer from the manufacturer to "hack" the device.
So it seems super unlikely you know a blue tooth zero day for a pacer.