Low-level hackers can play with your heart. Literally. Pacemakers, defibrillators and other devices manufactured by St. Jude Medical, a medical device company based in Minnesota, could have put patients' lives at risk, the US Food & Drug Administration warned on Monday, the same day a new software patch was released to address these vulnerabilities.
There are several confirmed vulnerabilities that could have granted hackers remote access a person's implanted cardiac device. Then, they could change the heart rate, administer shocks, or quickly deplete the battery. There hadn't been any report of patient harm related to these vulnerabilities as of Monday, the FDA said.
St. Jude Medical's implantable cardiac devices are put under the skin, in the upper chest area, and have insulated wires that go into the heart to help it beat properly, if it's too slow or too fast.
They work together with the Merlin@home Transmitter, located in the patient's house, which sends the patient's data to their physician using the Merlin.net Patient Care Network.
Hackers could have exploited the transmitter, the manufacturer confirmed. "[It] could (…) be used to modify programming commands to the implanted device," the FDA safety communication reads.
In an emailed response to Motherboard, a St. Jude Medical representative noted that the company "has taken numerous measures to protect the security and safety of our devices," including the new patch, and the creation of a "cyber security medical advisory board." The company plans to implement additional updates in 2017, the email said.
This warning comes a few days after Abbott Laboratories acquired St. Jude Medical, and four months after a group of experts at Miami-based cybersecurity company MedSec Holding published a paper explaining several vulnerabilities they found in St. Jude Medical's pacemakers and defibrillators. They made the announcement at the end of August 2016, together with investment house Muddy Waters Capital.
"Merlin@homes generally lack even the most basic forms of security," the paper claimed. MedSec experts wrote: "Key vulnerabilities can apparently be exploited by low level hackers. Incredibly, STJ has literally distributed hundreds of thousands of "keys to the castle" in the form of home monitoring units (called "Merlin@home") that in our opinion, greatly open up the STJ ecosystem to attacks. These units are readily available on Ebay, usually for no more than $35."
Back then, St. Jude Medical denied the claims, and sued Muddy Waters and MedSec. "The allegations are absolutely untrue," CTO Phil Ebeling told Bloomberg. "There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin@home and on all our devices." St. Jude declined to comment on the ongoing litigation.
Yet, Muddy Waters is not happy with the recent update. They claim St. Jude Medical is more interested in profits than in patients. "The announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants," a press statement reads. "[H]ad we not gone public, St. Jude would not have remediated the vulnerabilities."
The freshly released patch is available and will automatically download to the transmitter. "[P]atients should make sure that their Merlin@home unit is plugged in and connected via landline or cellular adapter so they can receive these and any future automatic security updates," St. Jude Medical wrote in a press release.
This is not the first time when physicians and cybersecurity experts have raised concerns regarding implanted medical devices. Former American Vice President Dick Cheney had the wireless capabilities of his heart implant disabled a few year ago, fearing an assassination attempt.
This piece has been updated with comment from St. Jude Medical.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.