St. Jude Patches Hole that allowed Medical Device Hacks

St. Jude issued a software fix for its Merlin@ home product Monday, which is used to manage implantable defibrillators and other implantable medical devices.

In-brief: St. Jude Medical said on Monday that it patched a serious hole in a product used to program implantable medical devices like defibrillators. But researchers and a Wall Street investment firm say the company still has more holes to close. 

St. Jude Medical, the medical device maker, has closed a hole that could have allowed a remote hacker to compromise the security of implanted medical devices such as pace makers, the company said Monday.

In a statement on its web page, the St. Paul, Minnesota-based medical device maker said that it will “immediately deploy” cyber security updates for its Merlin™ remote monitoring system. Those updates will fix one security hole identified by the research firm MedSec. That research was the foundation of a Wall Street investment firm’s report on St. Jude in August.

The Merlin product is a tool that is used to update and fine tune implantable pacemakers and defibrillator devices. According to a notice published by the Department of Homeland Security’s Industrial Control System CERT (ICS-CERT), St. Jude’s Merlin@ home product failed to verify the identity Merlin@ home endpoints, allowing a “man in the middle” attack in which a malicious actor intercepts the communication channel and impersonates either the St. Jude Merlin server or the Merlin@ home device.

St. Jude Medical said it is not aware of any cyber security incidents related to a St. Jude Medical device or any St. Jude Medical device or system in clinical use that has been “purposely targeted.”

“There has been a great deal of attention on medical device security and it’s critical that the entire industry continually enhances and improves security while bringing advanced care to patients,” said cyber security expert Ann Barron DiCamillo, an advisor to St. Jude Medical’s Cyber Security Medical Advisory Board, said in a published statement.

“Today’s announcement is another demonstration that St. Jude Medical takes cyber security seriously and is continuously reassessing and updating its devices and systems, as appropriate.”

But Muddy Waters founder Carson Block said in a statement that company’s update came only after the merger of Abbott Laboratories and St. Jude Medical was finalized last week.

“After vehemently denying its devices suffer security vulnerabilities and then suing us, St. Jude issued a statement today that effectively vindicates the research published by MedSec and Muddy Waters,” Block wrote. “This long-overdue acknowledgement… reaffirms our belief that the company puts profits over patients. It also reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities.”

Writing on the MedSec Blog, the company’s CEO, Justine Bone took issue with St. Jude’s characterization of the patched vulnerability as an “extremely low cyber security risk.” The vulnerability was rated as High severity (8.9 on a scale of 1-10) by the Department of Homeland Security, she noted.

“We eagerly await remediation efforts on the multitude of severe vulnerabilities that remain unaddressed including the ability to issue an unauthorized command from a device other than the Merlin @ Home device.”

MedSec, Bone noted, is still being sued by St. Jude and Abbott for defamation over the vulnerability disclosures.

“We believe our actions, which always sought to protect detailed vulnerability information, have finally resulted in St Jude Medical taking responsibility for the extensive security problems in their technology, upon which their customer’s health is dependent,” Bone said.

Both Bone and Block noted that many vulnerabilities uncovered by MedSec remain unaddressed. That includes the use of what Block described as a “universal code that could allow hackers to control the implants.”

Comments are closed.