St. Jude Medical today released an update for the Merlin@home Transmitter medical device that includes a patch for vulnerabilities made public last year in a controversial disclosure by research company MedSec Holdings and hedge fund Muddy Waters.
In a paper published last August, Muddy Waters said that vulnerabilities in the remote transmitter used to communicate with St. Jude Medical’s implantable cardiac devices left defibrillators and pacemakers exposed to attack and put patients’ physical safety at risk.
The disclosure was compounded by a short position Muddy Waters held on St. Jude Medical stock that allowed it and MedSec to profit should St. Jude stock drop in value. Muddy Waters said it expected close to half of St. Jude Medical revenue to drop as a result of the disclosure and that remediation would take close to two years. St. Jude Medical, which has since been acquired by Abbott Laboratories, is trading at $80.82 today, up from $77.82 on Aug. 25.
Muddy Waters today called the patches a “long-overdue acknowledgement” and alleged again that St. Jude Medical prioritizes profits over patients.
“It also reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities,” said Carson Block, Muddy Waters CEO, in a statement provided to Threatpost. “Regardless, the announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants.”
Justine Bone, CEO of MedSec, echoed what Block said regarding the remaining vulnerabilities.
“We acknowledge St. Jude Medical’s effort in the remediation of this vulnerability which was rated as High severity by the Department of Homeland Security,” Bone said. “We eagerly await remediation efforts on the multitude of severe vulnerabilities that remain unaddressed including the ability to issue an unauthorized command from a device other than the Merlin@home device. MedSec remains available to assist Abbott Laboratories during this process.”
In October, research outfit Bishop Fox said in a legal filing on behalf of Muddy Waters and MedSec countering a suit filed by St. Jude Medical, that a universal key, or backdoor, could be exploited to send commands from the Merlin@home transmitter to the implanted device. Bishop Fox said it developed an attack that could issue an emergency shock command to the implanted device. Bishop Fox also described two other attacks in its report that could deliver dangerous shocks to patients, as well as wireless protocol vulnerabilities that it had found.
The U.S. Food and Drug Administration, meanwhile, partnered with St. Jude Medical on today’s announcement, and recommended that providers and patients continue to use the affected devices.
“The FDA has reviewed St. Jude Medical’s software patch to ensure that it addresses the greatest risks posed by these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm,” the FDA said in a statement. “The FDA conducted an assessment of the benefits and risks of using the Merlin@home Transmitter, and has determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks.”
Today’s update will be automatically pushed to Merlin@home devices, and patients are advised to ensure the remote monitoring tool is connected to the Merlin.net network in order to pull down the patch.
The initial Muddy Waters report said it saw two demonstrations of attacks against implantable cardiac devices through the Merlin@home Transmitter. Should an attacker gain access to the device, they could change configurations and cause a device to malfunction and either alter pacing to dangerous rates, or deliver harmful shocks. Attackers could also cause the battery to drain. The attacks, the report said, are within reach of relatively unskilled hackers.
Muddy Waters and MedSec said in August that the communication protocols for Merlin@home Transmitters lacked encryption and authentication mechanisms and were compromised.
“As a result, an attacker can impersonate a Merlin@Home unit, and communicate with the Cardiac Devices – and likely even STJ’s internal network. While STJ might be able to patch one particular type of attack, the mass distribution of access points to the inner workings of the ecosystem via the home monitoring devices requires in our opinion, a lengthy system rework,” Muddy Waters’ report said.
The decision to publicly disclose the vulnerabilities to capitalize on the short position drew opened a new front in the disclosure debate, and resurrected a number of conversations around the ethics of where and when to report vulnerabilities in software and devices.
The FDA, which along with the Department of Homeland Security, opened an investigation in September, said today that it will continue to assess any new information around St. Jude device security and alter its recommendations if need be.
“The FDA reminds patients, patient caregivers, and health care providers that any medical device connected to a communications network (e.g. wi-fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users,” the FDA said. “The increased use of wireless technology and software in medical devices, however, can also often offer safer, more efficient, convenient and timely health care delivery.”
This article was updated Jan. 9 at 6:30 p.m. with a statement from MedSec.