The United States Food and Drug Administration (FDA) has completed its investigation into claims that vulnerabilities in St. Jude Medical devices could be remotely exploited by hackers wishing to cause patients harm. Last summer, Muddy Waters published a damming report on ‘stunning’ security vulnerabilities in St. Jude Medical devices that posed a serious risk to patients.
The short selling firm had been contacted by a cybersecurity startup called MedSec and was provided with details of a number of alleged security vulnerabilities in St Jude Medical devices, including some of its most popular defibrillators and pacemakers and their associated systems.
While the devices are intended to help control patients’ heart functions, the flaws could potentially be exploited by individuals and used to cause patients serious harm. A hacker could attack the Merlin@home transmitter that connects to the implanted cardiac devices and cause the batteries in the implants to fail. It would also be possible for an attacker to disrupt the pacing function and deliver shocks to patients’ hearts. St. Jude Medical denied that the vulnerabilities existed and sued Muddy Waters for disseminating false and misleading information about its cardiac devices in the fall last year.
Muddy Waters claimed that even with little technical expertise staff at the firm were able to replicate MedSec researchers’ results, although at the time, not all security experts agreed that the flaws existed. An independent group of researchers found the results of a test of device vulnerabilities to be inconclusive.
However, the FDA investigated and this week confirmed that the vulnerabilities do exist and that an attacker could “remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter.”
While there is a serious risk of harm being caused to patients, it does not appear that any device attacks have occurred to date. Patients have been advised that they should continue using their devices and have been told that the Merlin@home transmitter will be automatically updated this week with a patch that addresses “the greatest risks.”
The patch was developed by Abbott Laboratories, the company that recently bought St. Jude Medical. Abbott Laboratories has been working closely with the FDA and DHA over the past months to correct security flaws in its devices.
However, the patch does not address all vulnerabilities in St. Jude Medical devices, as Carson Block of Muddy Waters explained, “the announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants.”
The FDA has assessed the patch and believes it will be effective at reducing the risk of the devices being exploited and patients being harmed. However, patients must ensure that their Merlin@home device is plugged in and connected to the Merlin network this week in order for the patch to be applied.