Security Experts:

St. Jude Patches Vulnerabilities in Cardiac Devices

St. Jude Medical has released security updates to patch some of the flaws discovered by MedSec in its cardiac devices, but the manufacturer insists that the risk of cyberattacks is very low.

The U.S. Food and Drug Administration (FDA) and the Department of Homeland Security (DHS) launched an investigation after investment research firm Muddy Waters and security company MedSec teamed up and disclosed a series of vulnerabilities found in St. Jude implantable cardiac devices.

Following its acquisition by Abbott Laboratories on January 4, St. June announced on Monday the availability of security updates for Merlin remote monitoring systems, one of the products found to be vulnerable by MedSec.

According to an advisory published by ICS-CERT, version 8.2.2 of the Merlin software patches a high severity vulnerability (CVE-2017-5149) that can be exploited by a remote attacker to intercept and manipulate communications between the Merlin unit and implanted cardiac devices. The updates will be rolled out automatically to affected devices over the next months.

Muddy Waters and MedSec disclosed the vulnerabilities as part of an investment strategy, claiming that St. Jude puts profits before patients. St. Jude has refuted the claims and even filed a lawsuit against the companies. Third-party researchers have taken the sides of both MedSec and St. Jude in the matter.

MedSec and Muddy Waters believe the patches released by St. Jude represent an acknowledgement of the vulnerabilities, and pointed out that some of the serious flaws still have not been addressed, including ones that could allegedly allow hackers to “control the implants.”

“After vehemently denying its devices suffer security vulnerabilities and then suing us, St. Jude issued a statement today that effectively vindicates the research published by MedSec and Muddy Waters,” said Carson Block of Muddy Waters Capital. “This long-overdue acknowledgement, just days after completion of St. Jude’s sale to Abbott Laboratories, reaffirms our belief that the company puts profits over patients. It also reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities.”

Justine Bone, CEO of MedSec, also issued a statement: “We acknowledge St. Jude Medical’s effort in the remediation of this vulnerability which was rated as High severity by the Department of Homeland Security. We eagerly await remediation efforts on the multitude of severe vulnerabilities that remain unaddressed including the ability to issue an unauthorized command from a device other than the Merlin @ Home device. MedSec remains available to assist Abbott Laboratories during this process.”

St. Jude has pointed out that it’s not aware of any attacks or other cybersecurity incidents involving affected devices. The company, which has not dropped the lawsuit against MedSec and Muddy Waters, says it has released the security update to “further reduce the extremely low cyber security risks.”

While ICS-CERT classified the patched flaw as high severity, it also said the weakness can only be exploited by a highly skilled attacker.

The FDA has reviewed the vulnerabilities and confirmed that they can be exploited to remotely access implanted devices through the Merlin system and potentially cause rapid depletion of their battery. Attackers could also cause inappropriate pacing in the implanted device and deliver shocks to the victim.

However, the FDA has determined that “the health benefits to patients from continued use of the device outweigh the cybersecurity risks.”

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.