St. Jude Medical has patched a vulnerability in another Merlin@home Transmitter medical device vulnerable to a man-in-the-middle attack.
The medical device maker issued an update on Monday for its Merlin@home Transmitter “inductive” models, expanding the number of devices impacted by a high-severity vulnerability identified in a Jan. 9 advisory affecting RF models of the same medical device.
According to an ICS-CERT advisory issued Monday, the vulnerability allows a skilled remote attacker to access or influence communications “between Merlin.net and transmitter endpoints.” St. Jude, which Abbott Laboratories acquired on Jan. 4, has issued a software update that mitigates the vulnerability.
Initial revelations of several critical vulnerabilities in St. Jude devices were made public last August in a controversial disclosure by research company MedSec Holdings and hedge fund Muddy Waters. At the time, both led a controversial charge against St. Jude releasing a report alleging St. Jude’s pacemakers, defibrillators and other medical devices made by the company were vulnerable to potentially catastrophic attacks. Before the release of its research, Muddy Waters took a short position against St. Jude stock that allowed it and MedSec to profit should St. Jude stock drop in value.
Justine Bone, CEO of MedSec, said that she was encouraged by Monday’s move by St. Jude, but said the update only addressed one of many serious flaws remaining in the company’s life-sustaining medical equipment.
“It is very important to note that high risk vulnerabilities remain, in particular the implant back door that allows an attacker to generate shocks and/or disable the implant remotely over RF. We look forward to learning about St Jude Medical’s remediation plan that addresses this issue,” Bone told Threatpost.
She said in recent months St. Jude has softened a hardline defense it took in September when it claimed in a lawsuit that MedSec made false allegations regarding the safety of its medical equipment.
“After initially denying any existence of any vulnerabilities, St. Jude has changed course and started to reproduce our research inside their own environment,” Bone said. “This is exactly what they should do. Now they are starting to release fixes. This is the beginning of what we expect to be a continuous process of fixes released by St. Jude.”
St. Jude did not return requests for a comment.
The initial Muddy Waters report said it saw two demonstrations of attacks against implantable cardiac devices through the Merlin@home Transmitter. Should an attacker gain access to the device, they could change configurations and cause a device to malfunction and either alter pacing to dangerous rates, or deliver harmful shocks. Attackers could also cause the battery to drain. The attacks, the report said, are within reach of relatively unskilled hackers.
Additionally, the report claimed that the communication protocols for Merlin@home Transmitters lacked encryption and authentication mechanisms and were easily compromised.
“As a result, an attacker can impersonate a Merlin@home unit, and communicate with the Cardiac Devices – and likely even STJ’s internal network. While STJ might be able to patch one particular type of attack, the mass distribution of access points to the inner workings of the ecosystem via the home monitoring devices requires in our opinion, a lengthy system rework,” Muddy Waters’ report said.
Bone said that it would take a firmware update in the cardiac implant itself to address these vulnerabilities, she said. “What St. Jude is doing with its messaging is implying everything has been fixed with this one patch. That is very much not the case. This patch addresses one piece of equipment, the Merlin@home device.”
