FDA confirms that St. Jude cardiac devices contain hacking vulnerabilities; company issues patch

midian182

TechSpot Editor
Staff member

As more companies rush to make every single item connected, the threat of hackers compromising these systems also increases. But it’s not just smart home products that are at risk; the Food and Drug Administration has issued a warning over cybersecurity vulnerabilities found in cardiac devices such as pacemakers.

The FDA notice states that the problem is related to the Merlin@home Transmitters manufactured by St. Jude Medical. They are part of a home monitoring system that transmits and receives RF signals used to wirelessly connect to implanted cardiac devices and read their stored data.

Engadget reports that once the Merlin accesses the information stored on a pacemaker, it’s uploaded to the Merlin.net Patient Care Network, where medical staff can access and monitor the device and the patient's health.

The FDA notice doesn’t go into specifics, but it does warn that if the vulnerabilities in the Merlin were exploited, hackers could “modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.”

The note emphasizes that there have been no reports of the devices being hijacked, and St. Jude Medical has developed a patch that fixes the security issues. It started rolling out yesterday and will be automatically applied over-the-air to affected Merlin products – just make sure they’re switched on and connected to the network.

The move follows months of denials by St. Jude that its heart implants contain any security vulnerabilities. Last year, Muddy Waters - an investment house founded by Carson Block - published a report claiming St. Jude's devices could be hacked. St. Jude called the claims “false and misleading,” before launching legal action against the company.

In a statement, Block said the FDA's announcement "vindicates" the firm's research. "It also reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities," Block said. "Regardless, the announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants."

Permalink to story.

 

Skidmarksdeluxe

TS Evangelist
Man!!! This is truly frightening. Imagine some hacker loading ransomware onto someones pacemaker. If they wanna live what other alternative do they but to pay that 'lower than snake faeces' hacker'.
"If you don't come up with the 200 bitcoins by 6pm tonight I'm gonna increase your heart rate from 65 bpm to say... 500 bpm" Yeesh!
 

Uncle Al

TS Evangelist
Very surprising that the folks at St. Jude would not have done a better job than this ..... very much out of character.
 

IAMTHESTIG

TS Evangelist
Man!!! This is truly frightening. Imagine some hacker loading ransomware onto someones pacemaker. If they wanna live what other alternative do they but to pay that 'lower than snake faeces' hacker'.
"If you don't come up with the 200 bitcoins by 6pm tonight I'm gonna increase your heart rate from 65 bpm to say... 500 bpm" Yeesh!
Interesting you say that because the TV show NCIS had an episode that depicted someone being killed by their pacemaker being hacked and set to 400 bpm.
 

cartera

TS Evangelist
Man!!! This is truly frightening. Imagine some hacker loading ransomware onto someones pacemaker. If they wanna live what other alternative do they but to pay that 'lower than snake faeces' hacker'.
"If you don't come up with the 200 bitcoins by 6pm tonight I'm gonna increase your heart rate from 65 bpm to say... 500 bpm" Yeesh!
Interesting you say that because the TV show NCIS had an episode that depicted someone being killed by their pacemaker being hacked and set to 400 bpm.
Didn't the series homeland have something about it too?
Pretty scary stuff though, I have a similar device that communicates wirelessly but only over short distances like 1-2cm and it isn't connected to the web. These things shouldn't be accessible from the web imho, at least not without some intervention from the user or someone with the user.
 

Latest posts