St Jude Medical Updates Cardiac Devices but Flaws Persist

Written by

St Jude Medical (SJM) has finally released security updates for its cardiac implant devices, in a move which would seem to validate claims made by controversial IoT security firm MedSec which led to a bitter legal dispute last year.

The medical device maker is suing MedSec and short seller Muddy Waters for publishing what it claimed to be false information about bugs in its equipment which helped them make money off the stock market when shares in the firm inevitably fell on the news.

However, on Monday St Jude released several updates to its Merlin remote monitoring system that’s used with implantable pacemakers and defibrillator devices, a few days after its acquisition by Abbot completed.

In a statement, the firm made no reference to the ongoing lawsuit or the flaws found by MedSec:

“As technology evolves, St. Jude Medical made seven software updates in three years to the Merlin@home transmitter alone, and it will immediately release its latest software update to Merlin@home, which will begin to be implemented today. The update includes additional validation and verification between the Merlin@home device and St. Jude Medical has collaborated with the FDA, DHS ICS-CERT and other regulators in implementing this update. The company also plans to implement additional updates in 2017.”

In fact, the FDA published its findings on the identified vulnerabilities on Monday to coincide with the announcement.

The bugs in question could allow remote hackers to remotely deplete the battery on implanted cardiac devices or even administer shocks to the wearer.

The move by St Jude is significant in that it dismissed the findings of MedSec’s report as scaremongering when it was released last August.

"We continue to feel this lawsuit is the best course of action to make sure those looking to profit by trying to frighten patients and caregivers are held accountable for their actions,” it said in a statement a couple of months later after Muddy Waters brought in more third party experts to substantiate the claims.

Unsurprisingly, the short seller has reacted angrily to the news, issuing the following statement:

“After vehemently denying its devices suffer security vulnerabilities and then suing us, St. Jude issued a statement today that effectively vindicates the research published by MedSec and Muddy Waters. This long-overdue acknowledgement, just days after completion of St. Jude’s sale to Abbott Laboratories, reaffirms our belief that the company puts profits over patients. It also reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities. Regardless, the announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants.”

Cryptographic expert Matthew Green agreed that the fixes do not solve the underlying problem: that the vulnerabilities that exist in the implantable devices can only be fixed by updating the firmware.

In a series of tweets he explained the situation as it stands.

“So far as I can see from the FDA and SJM announcements, nobody has yet proposed a plan to update implantable device firmware! I don't even know what that would entail. Maybe bringing patients into doctor's offices. A logistical frigging nightmare,” Green claimed.

“There are 1000s of Merlin at Home boxes in patients’ homes … Compromising one box at a time is very time consuming and unlikely. But what if you could push harmful code to all of them at once. That scenario is nightmare fuel. It should be keeping SJM and the FDA up at night until they can rule it out.”

What’s hot on Infosecurity Magazine?