Security scare over hackable heart implants

A US government probe into claims that certain heart implants are vulnerable to hacking attacks, has resulted in emergency security patches being issued for devices that cardiac patients have in their homes.

The medical devices under the microscope come from St Jude Medical, recently acquired by Abbott Laboratories, who were informed by researchers last year that their devices could be forced to malfunction by administering a mild electric shock, pacing at a potentially dangerous rate, or tricked into suffering a high-risk battery drain.

Controversially, research company MedSec Holdings and hedge fund Muddy Waters reportedly profited by short selling stock in St Jude Medical, before telling the manufacturer about the serious vulnerabilities.

The St Jude Medical Merlin@home Transmitter connects the tiny computer inside a patient’s implanted cardiac pacemaker to a doctor’s surgery or clinic, using a telephone line, internet connection or 3G cellular network to communicate critical information about a patient’s heart activity.

The good news for patients is that they don’t have to make as many trips to the clinic, and don’t have to see their doctor in person so often. Remote monitoring allows a doctor to both monitor how a heart is behaving, and see if the implanted device is behaving unusually.

From this point of view, the technological advance can be seen as a good thing. But there is a genuine concern – as we have described before – that the rush to embrace technology to improve and save patients’ lives could introduce high-tech risks.

Perhaps most memorably, security researcher Barnaby Jack demonstrated in 2012 how he reverse-engineered a device to deliver a deadly 830 volt shock to a pacemaker from a distance of 30 feet, and discovered a method to scan insulin pumps wirelessly and configure them to deliver more or less insulin than patients required, sending patients into a hypoglycaemic shock.

In a press release announcing its security updates, St Jude Medical emphasised that it was “not aware of any cyber security incidents related to a St Jude Medical device.”

“We’ve partnered with agencies such as the U.S. Food and Drug Administration (FDA) and the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) unit and are continuously reassessing and updating our devices and systems, as appropriate,” said Phil Ebeling, vice president and chief technology officer at St. Jude Medical.

Carson Block, CEO of Muddy Waters, meanwhile believes that going public about the vulnerabilities forced St Jude Medical to take swifter action to fix them, and feels that the fixes do not go far enough:

“…had we not gone public, St. Jude would not have remediated the vulnerabilities. Regardless, the announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants.”

Researchers claim that the St Jude Medical devices use very weak authentication, opening up potential opportunities for non-hospital staff to hack a home device into sending electrical shocks and malicious firmware updates to vulnerable implanted devices.

While more investigation is conducted into how the implanted devices themselves might be made more secure, patients are urged to make sure that their Merlin@home units are plugged in, and connected a phone line or cellular adapter to receive the current and future security updates automatically.

Author Graham Cluley, We Live Security

Follow us

Copyright © 2017 ESET, All Rights Reserved.