Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

St. Jude Patches Vulnerabilities in Cardiac Devices

St. Jude Medical has released security updates to patch some of the flaws discovered by MedSec in its cardiac devices, but the manufacturer insists that the risk of cyberattacks is very low.

St. Jude Medical has released security updates to patch some of the flaws discovered by MedSec in its cardiac devices, but the manufacturer insists that the risk of cyberattacks is very low.

The U.S. Food and Drug Administration (FDA) and the Department of Homeland Security (DHS) launched an investigation after investment research firm Muddy Waters and security company MedSec teamed up and disclosed a series of vulnerabilities found in St. Jude implantable cardiac devices.

Following its acquisition by Abbott Laboratories on January 4, St. June announced on Monday the availability of security updates for Merlin remote monitoring systems, one of the products found to be vulnerable by MedSec.

According to an advisory published by ICS-CERT, version 8.2.2 of the Merlin software patches a high severity vulnerability (CVE-2017-5149) that can be exploited by a remote attacker to intercept and manipulate communications between the Merlin unit and implanted cardiac devices. The updates will be rolled out automatically to affected devices over the next months.

Muddy Waters and MedSec disclosed the vulnerabilities as part of an investment strategy, claiming that St. Jude puts profits before patients. St. Jude has refuted the claims and even filed a lawsuit against the companies. Third-party researchers have taken the sides of both MedSec and St. Jude in the matter.

MedSec and Muddy Waters believe the patches released by St. Jude represent an acknowledgement of the vulnerabilities, and pointed out that some of the serious flaws still have not been addressed, including ones that could allegedly allow hackers to “control the implants.”

“After vehemently denying its devices suffer security vulnerabilities and then suing us, St. Jude issued a statement today that effectively vindicates the research published by MedSec and Muddy Waters,” said Carson Block of Muddy Waters Capital. “This long-overdue acknowledgement, just days after completion of St. Jude’s sale to Abbott Laboratories, reaffirms our belief that the company puts profits over patients. It also reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities.”

Justine Bone, CEO of MedSec, also issued a statement: “We acknowledge St. Jude Medical’s effort in the remediation of this vulnerability which was rated as High severity by the Department of Homeland Security. We eagerly await remediation efforts on the multitude of severe vulnerabilities that remain unaddressed including the ability to issue an unauthorized command from a device other than the Merlin @ Home device. MedSec remains available to assist Abbott Laboratories during this process.”

St. Jude has pointed out that it’s not aware of any attacks or other cybersecurity incidents involving affected devices. The company, which has not dropped the lawsuit against MedSec and Muddy Waters, says it has released the security update to “further reduce the extremely low cyber security risks.”

While ICS-CERT classified the patched flaw as high severity, it also said the weakness can only be exploited by a highly skilled attacker.

The FDA has reviewed the vulnerabilities and confirmed that they can be exploited to remotely access implanted devices through the Merlin system and potentially cause rapid depletion of their battery. Attackers could also cause inappropriate pacing in the implanted device and deliver shocks to the victim.

However, the FDA has determined that “the health benefits to patients from continued use of the device outweigh the cybersecurity risks.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.