Pacemaker Hacking Fears Rise With Critical Research Report

Researcher warn medical devices made by St. Jude Medical are at risk of attacks via SSH certificate reuse vulnerabilities and static credentials that can easily give hackers root access to key monitoring equipment.

Pacemakers, defibrillators and other medical devices made by a leading medical equipment maker are vulnerable to potentially “catastrophic” cyberattacks. With relatively little effort tens of thousands of cardiac devices made by St. Jude Medical are vulnerable to attack, according a report released by private equity firm Muddy Waters Capital with help from medical researchers at MedSec.

The report claims major cybersecurity flaws are riddled throughout St. Jude Medical device portfolio and are tied to the company’s Merlin@home home monitoring units that “greatly open up the STJ ecosystem to attacks,” according to the report (PDF) released Thursday.

“These units (Merlin@home) are readily available on Ebay, usually for no more than $35. Merlin@homes generally lack even the most basic forms of security, and as this report shows, can be exploited at every level of the technology stack of St. Jude’s Cardiac Devices,” authors of the report wrote.

The MedSec investigation into St. Jude Medical’s cardiac devices, which include pacemakers, implantable cardioverter defibrillators, and cardiac resynchronization therapy devices, concluded that each of the pieces of equipment were vulnerable to attacks that could cause devices to malfunction, drain batteries of life-saving equipment or could put device-dependent users at risk of equipment failure.

“We have conducted deep research on the entire medical device industry for over 18 months and the vulnerabilities we discovered at St. Jude were appalling to us when compared to other medical device makers,” said Justine Bone, director and CEO of MedSec wrote in a prepared statement.

The U.S. Food and Drug Administration, which regulates medical devices, declined to comment on the MedSec and Muddy Waters report.

The St. Paul, Minn.-based medical device maker did not return requests for comment for this article. However, the company’s CTO, Philip Ebeling, released statement: “The allegations are absolutely untrue. There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts with specifically Merline@Home and all our devices.”

Potential flaws in St. Jude Medical equipment were first share by Miami-based MedSec three months ago to financial research firm Muddy Waters. For the year prior to that disclosure, MedSec had been testing security flaws in medical devices.

Then, in what is viewed as a controversial move, when MedSec discovered the St. Jude Medical device flaws it contacted Muddy Waters, not St. Jude Medical. Muddy Waters then took a short position in St. Jude Medical denouncing the company’s medical devices as ticking time bombs. MedSec also stands to benefit financially if St. Jude Medical’s stock drops.

On Friday Nasdaq suspended trading in St. Jude Medical as shares tumbled 2.5 percent. Later in the day St. Jude Medical recovered those losses when trading resumed and closed 0.2 percent higher ($78.01) than its opening share price.

In a statement posted MedSec’s website the company’s CEO Bone wrote:

“We acknowledge that our departure from traditional cyber security practices will draw criticism, but we believe this is the only way to spur St Jude Medical into action. Most importantly, we believe that both potential and existing patients have a right to know about their risks. Consumers need to start demanding transparency from these device manufacturers, especially as it applies to the quality and functionality of their products.”

MedSec researchers maintain the Merlin@home devices are the weak link in the security defenses to St. Jude Medical’s device ecosystem. “Any programmer or Merlin@home device can generally communicate with any Cardiac Device because there is no strong authentication built into the protocol,” it said.

Image: Courtesy Muddy Watters Research

Image: Courtesy Muddy Waters Research

It said attackers can easily reverse engineer the communications protocol and mimic parts of St. Jude Medical ecosystem and manipulate the company’s cardiac devices. It blasted the medical device maker for weak device authentication coupled with a dearth of encrypted software and code as well as having no anti-tampering and mechanisms.

In another instance MedSec reported that compounding security issues was a 50 foot RF range for a Merlin@home units used to interact with implanted devices. It said that range should be brought to inches, not feet, so an attacker would be limited to only in-person attacks versus attacks that can be conducted from a greater distance and not easily detected.

Researchers say they were able to get root access to the Merlin@home devices thanks to sloppy security that included certificate reuse and sharing of SSH keys and static credentials allowing an unauthenticated user to log in to the affected system with the privileges of a root user.

With root access, researchers say, an attacker could conduct a “crash” attack that involves broadcasting a combination of signals that places cardiac devices into a state of malfunction. A crash attack can remotely disable a cardiac devices and possibly cause an implant to “pace at a dangerous rate.”

MedSec described another type of theoretic attack called a “battery drain attack.” In this case the attack generates signals from the Merlin@home device to run down batteries in a cardiac device at an accelerated rate. In a test of the attack, MedSec depleted the batteries of one implant to approximately three percent of capacity per a 24-hour period.

Despite the scathing review of St. Jude Medical, Muddy Watters said it wasn’t aware of any imminent threat to patient safety. “However, we believe it is prudent from a security standpoint for STJ to immediately disable the RF capability of patients’ implanted devices,” it wrote.

Suggested articles

Threatpost News Wrap, January 13, 2017

The news of the week is discussed, including the ShadowBrokers’ farewell, GoDaddy’s buggy domain validation issue, MongoDB ransoms, and the latest with St. Jude Medical.