After Lawsuits And Denial, Pacemaker Vendor Finally Admits Its Product Is Hackable

from the digital wetworks dept

So we’ve noted how the lack of security in the Internet of Things is a bit of a problem. Initially, many of us thought that easily hacked smart tea kettles and smart refrigerators were kind of cute. Then we realized that this same, paper-mache grade security is also apparently embedded in everything from automobiles to medical gear. Then, more recently, we realized that all of these poorly-secured devices were being quickly compromised and used in botnets to help fuel massive, historically unprecedented, new DDoS attacks. The warnings were there all along, we just chose to ignore them.

For more than a decade people had been warning that the security on pacemakers simply wasn’t very good. Despite these warnings, many of these devices are still vulnerable to attack. This week the FDA was forced to issue a warning, noting that security vulnerabilities in the St. Jude Medical implantable cardiac device and corresponding Merlin@home Transmitter could be a serious problem. It’s notable as it’s the first time we’ve seen the government publicly acknowledge this specific type of threat.

The St. Jude Medical Merlin@home Transmitter uses a home monitor to transmit and receive RF signals wirelessly to the pacemaker. But the FDA found that this transmitter was vulnerable to attack, with the press release politely tap dancing around the fact that said vulnerability could be used to kill:

“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.”

According to the FDA, they have no evidence of anybody dying because of the vulnerability yet. They’re also quick to note that St. Jude Medical issued a patch on January 9 that fixes this vulnerability. St. Jude Medical was quick to issue a statement patting itself on the back for patching its systems against “highly unlikely medical device cyber risks”:

“There has been a great deal of attention on medical device security and it’s critical that the entire industry continually enhances and improves security while bringing advanced care to patients,” said cyber security expert Ann Barron DiCamillo, former director of U.S. CERT and advisor to St. Jude Medical’s Cyber Security Medical Advisory Board. “Today’s announcement is another demonstration that St. Jude Medical takes cyber security seriously and is continuously reassessing and updating its devices and systems, as appropriate.”

Granted St. Jude Medical had previously received a bit of a nudge, and this isn’t the first time the company’s name has appeared in lights for the wrong reason. Security startup MedSec resorted to some creative tactics last year when it began shorting St. Jude Medical stock to try and highlight the company’s abysmal security, after the traditional vulnerability reporting process failed to get the company’s attention. At the time, MedSec Chief Executive Officer Justine Bone stated that the company consistently did little to nothing when vulnerabilities were reported:

“As far as we can tell, St. Jude Medical has done absolutely nothing to even meet minimum cybersecurity standards, in comparison to the other manufacturers we looked at that have made efforts,” Bone said. There are steps St. Jude can take relatively quickly to protect patients, including changing the programming of implanted pacemakers and defibrillators through a method that would involve a doctor’s visit, she said.”

St. Jude Medical’s first response was an outright denial, followed by a lawsuit against MedSec for “trying to frighten patients and caregivers.” Fast forward a few months, and St. Jude Medical is now trying to hold itself up as the poster child for proactive security and accountability. But the reality is that publicly shaming companies that can’t be bothered to prioritize user security (even when human lives are at risk) appears to pay notable dividends.

Filed Under: , , , ,
Companies: st. jude medical

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “After Lawsuits And Denial, Pacemaker Vendor Finally Admits Its Product Is Hackable”

Subscribe: RSS Leave a comment

Re: Not very reassuring

If I remember MedSec’s original report (prior to the stock shorting) correctly, these devices could be reprogrammed such that the communications log got rewritten as part of the reprogramming. This means that someone could reprogram the device, cause a heart attack, restore the transmitter to factory default settings (with a believable log), and there would be NO evidence that it wasn’t just either a natural heart event or an unforeseeable failure of the device following an update.

donna jonessays:

Re: Not very reassuring

my mother had a merlin home transmitter in her home, For what i dont know, I went to go check on her causee I hadnt heard from her and found her dead. Paperwork says she had a hear attack. I thought this machine regulated any
abnormal functions regarding the pacemaker. Im so upset..she passed this yr in august, I dont know where to start.


I really don't understand Saint Jude Medical.

They were willing to spend money on a lawsuit but NOT on fixing security flaws.

Did anybody at that company understand that if a malicious attacker killed somebody using a security flaw and it were proven in court, they might be driven to bankruptcy by the settlement?

Also, there’s a little item in the lawbooks called “criminal negligence”…


highly unlikely medical device cyber risks

as in, i can’t imagine somebody would actually do that. otherwise, good goddamn luck.

this smells exactly like the japanese assuring all that a tsunami greater than 10 meters is a virtual impossibility. i wonder if they’d like to run that opportunity past them again with all set back to that point in time.


Who do you mean 'we'?

I NEVER chose to ignore them. I have not been into security to the level of Krebs and friends but I have been into Unix security since ~1980 and Linux since its inception release 0.95.

I have warned many of my friends and family to avoid anything that can be accessed OVER THE WEB. If they must have it to block telnet, to keep it behind their firewall (which I also advised on keeping it tightly controlled). And I routinely advise store clerks to tell their customers to immediately change the passwords and admin names.

I am very serious about security. I have backed off on only having one serial line to be able to login as root on my file server. Only because the file server now sits behind me.

Just this last week I warned a friend about Samsung smart(sic) TV and the always on mic.

This is a disaster I have known was coming. And voila here it is.


Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Older Stuff
13:40 It's Great That Winnie The Pooh Is In The Public Domain; But He Should Have Been Free In 1982 (Or Earlier) (35)
12:06 Norton 360 Now Comes With Crypto Mining Capabilities And Sketchy Removal Process (28)
10:45 Chinese Government Dragnet Now Folding In American Social Media Platforms To Silence Dissent (14)
10:40 Daily Deal: The 2022 Ultimate Cybersecurity Analyst Preparation Bundle (0)
09:29 A Fight Between Facebook And The British Medical Journal Highlights The Difficulty Of Moderating 'Medical Misinformation' (9)
06:29 Court Ruling Paves The Way For Better, More Reliable Wi-Fi (4)
20:12 Eighth Circuit (Again) Says There's Nothing Wrong With Detaining Innocent Minors At Gunpoint (15)
15:48 China's Regulatory War On Its Gaming Industry Racks Up 14k Casualties (10)
13:31 Chinese Government Fines Local Car Dealerships For Surveilling While Not Being The Government (5)
12:08 Eric Clapton Pretends To Regret The Decision To Sue Random German Woman Who Listed A Bootleg Of One Of His CDs On Ebay (29)
10:44 ICE Is So Toxic That The DHS's Investigative Wing Is Asking To Be Completely Separated From It (29)
10:39 Daily Deal: The 2022 Complete Raspberry Pi And Arduino Developer Bundle (0)
09:31 Google Blocked An Article About Police From The Intercept... Because The Title Included A Phrase That Was Also A Movie Title (24)
06:22 Wireless Carriers Balk At FAA Demand For 5G Deployment Delays Amid Shaky Safety Concerns (16)
19:53 Tenth Circuit Denies Qualified Immunity To Social Worker Who Fabricated A Mother's Confession Of Child Abuse (35)
15:39 Sci-Hub's Creator Thinks Academic Publishers, Not Her Site, Are The Real Threat To Science, And Says: 'Any Law Against Knowledge Is Fundamentally Unjust' (34)
13:32 Federal Court Tells Proud Boys Defendants That Raiding The Capitol Building Isn't Covered By The First Amendment (25)
12:14 US Courts Realizing They Have A Judge Alan Albright Sized Problem In Waco (17)
10:44 Boston Police Department Used Forfeiture Funds To Hide Purchase Of Surveillance Tech From City Reps (16)
10:39 Daily Deal: The Ultimate Microsoft Excel Training Bundle (0)
09:20 NY Senator Proposes Ridiculously Unconstitutional Social Media Law That Is The Mirror Opposite Of Equally Unconstitutional Laws In Florida & Texas (25)
06:12 Telecom Monopolies Are Exploiting Crappy U.S. Broadband Maps To Block Community Broadband Grant Requests (7)
12:00 Funniest/Most Insightful Comments Of 2021 At Techdirt (17)
10:00 Gaming Like It's 1926: Join The Fourth Annual Public Domain Game Jam (6)
09:00 New Year's Message: The Arc Of The Moral Universe Is A Twisty Path (33)
19:39 DHS, ICE Begin Body Camera Pilot Program With Surprisingly Good Policies In Place (7)
15:29 Remembering Techdirt Contributors Sherwin And Elliot (1)
13:32 DC Metro PD's Powerful Review Panel Keeps Giving Bad Cops Their Jobs Back (6)
12:11 Missouri Governor Still Expects Journalists To Be Prosecuted For Showing How His Admin Leaked Teacher Social Security Numbers (39)
10:48 Oversight Board Overturning Instagram Takedown Of Ayahuasca Post Demonstrates The Impossibility Of Content Moderation (10)
More arrow
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it