Imagine having a device implanted in your heart to help it keep beating, only to be told there’s a chance someone with nefarious intentions could hack into it. That is exactly what experts are warning could happen to cardiac implants made by device maker St. Jude Medical Inc.
The frightening claim comes from the short-selling firm Muddy Waters, which said in a legal brief filed October 21 that experts from the boutique security firm Bishop Fox have validated its claims. [1]
Vulnerabilities
The concern centers around the Merlin@Home transmitter, which according to St. Jude, “allows efficient remote care management of patients with implanted cardiac devices through scheduled transmissions and daily alert monitoring.” [2]
Source: Boing Boing
The claims were made back in August by Muddy Waters founder Carson Block, who cited presentations by security experts that showed hackers could convert the Merlin@Home devices into “weapons” that could cause cardiac implants to stop delivering shocks to patients’ hearts. [3]
St. Jude’s chief technology officer Phil Ebeling said at the time that the claims were “absolutely untrue,” and that the device maker had “several layers of security measures in place” and conducts regular security assessments.
The medical device maker responded to Muddy Waters’ claims by filing a lawsuit against Muddy Waters on September 7. [1]
However, the 53-page Bishop Fox report released by Muddy Waters last Friday shows that St. Jude implantable cardiac devices are more vulnerable to hacking than the company either realizes or wants to admit.
According to Bishop Fox, this could be done in a number of ways. In 1 possible scenario, a hacker could remotely turn off the therapeutic functions of an implantable cardioverter defibrillator (ICD), then send a T-wave shock to a patient’s heart, causing ventricular fibrillation, which could lead to cardiac arrest.
Bishop Fox claims in its report that it tested the attacks from 10 feet (3 meters) away, but it is possible for someone to attack up to 45 feet away using an antenna, or 100 feet away using a transmitting device called a software defined radio.
The report was submitted in federal court in Minnesota as evidence by Muddy Waters in its legal defense.
Short sellers make bets that stock prices will fall selling borrowed shares so they can buy them at a lower price and profit from the difference. St. Jude alleges that Muddy Waters intentionally disseminated the information about the devices to manipulate its stock price, which fell 5% the day they went public with their claim.
Bishop Fox said it shored up Muddy Waters’ claim with help from well-known specialists in cryptography, computer hardware hacking, forensics, and wireless communications.
Risky Business
Medical-device hacking, or “medjacking,” sounds like a scary sci-fi move plot, but it’s so realistic and serious that the FBI warned about its potential in September 2015.
Source: Mass Device
The bureau warned:
“Criminals can use these opportunities to remotely facilitate attacks on other systems, send malicious and spam e-mails, steal personal information, or interfere with physical safety.”
Former Vice President Dick Cheney was so concerned about his heart defibrillator being hacked that he had the wireless connection disconnected several years ago.
The U.S. Food and Drug Administration (FDA) urges hospital network administrators and medical device makers to take these steps to prevent possible “medjackings”:
- Limiting authorized access to medical devices that connect to the hospital network
- Protecting individual elements of the device from exploitation
- Designing the device to function in fail-safe modes
- Creating retention and recovery modes for the device
- Monitoring the hospital network for use
- Evaluating network components
- Installing security patches to networks if necessary
Sources:
[1] Reuters
[2] Boing Boing
[3] CNN Money
Mass Device