Bugs in heart implants can be used to deliver shocks, experts say

Security experts have backed claims that flaws in heart implants made by St Jude Medical can be used to deliver electric shocks.

Short-seller firm Muddy Waters on Monday released a report from security consultancy Bishop Fox that support claims it made in August that St Jude Medical implants contain flaws that hackers could use to kill patients.

St Jude Medical implant devices are used by hundreds of thousands of patients across the world, including in Australia. The US Food & Drug Administration warned earlier this month that lithium ion batteries in 350,000 St Jude Medical Implantable Cardioverter Defibrillator (ICD) devices could run out of power prematurely.

St Jude has disputed Muddy Waters claims and in September sued the firm and MedSec, a security company contracted by the short-seller that wrote a technical report detailing flaws in the device maker's implants.

Responding to the suit, MedSec’s legal counsel hired Bishop Fox to independently review its claims and test whether the exploits could be reproduced. The evaluation covered St Jude’s PCS Programmer, an induction wand called Merlin@home, its implantable cardio defibrillator (ICD), and pacemaker.

Bishop Fox said it conducted its analysis of St Jude devices in late September using devices and exploits provided by MedSec, which has since retained Bishop Fox as an expert opinion in its legal defense.

The team that reviewed MedSec’s work included experts in radio frequency security, incident response, and hardware security, with cryptography reviewed by well-known cryptographer Matthew Green, an assistant professor at Johns Hopkins University.

“My overall opinion regarding the security of the St. Jude Medical implantable cardiac device ecosystem is that the security measures I observed do not meet the security requirements of a system responsible for safeguarding life-sustaining equipment implanted in patients,” Bishop Fox consultant Carl Livitt wrote in the report.

“I found that Muddy Waters’ and MedSec’s statements regarding security issues in the St. Jude Medical implant ecosystem were, by and large, accurate,” Livitt added.

The biggest failing was the wireless or radio frequency (RF) protocol used for communicating between St Jude Medical cardiac implants and a remote management device called Merlin@home. Additionally, they found a backdoor if known to an attacker wouldn’t require knowing the keys used to protect encrypted communications between device.

The team of experts confirmed flaws in this protocol combined with other bugs could be abused to deliver shocks to patients from 10 feet (3m) away and that it wouldn’t require any action from the patient to exploit.

Livitt estimated that the attack distance could be extended to 45 feet (13m) if the Merlin@home device was equipped with an extra antennae, or 100 feet (30m) using a software defined radio.

MedSec provided Bishop Fox with two pieces of exploit code to send a command from Merlin@home to an implant. One of them didn’t contain a backdoor or “universal key” and another did. The former exploit failed, while the latter worked.

The case has fanned debate over how security researchers should report security flaws. Researchers who find bugs can reveal everything publicly before telling a vendor. Since this bug deals with regulated devices, Muddy Waters should report the bugs to the appropriate authority, which is the FDA.

MedSec CEO Justine Bone said today that the firm privately shared its security report with the FDA and Department of Homeland Security prior to Muddy Waters' publication. Bone also noted that MedSec hadn't revealed key details about the flaws.