The Challenges of Implanted Cardiac Device Security: Lessons From Recent Compromises

G. Stuart Mendenhall


Europace. 2019;21(4):535-538. 

In This Article

The Muddy Waters Case

In August 2016, the Muddy Waters LLC investment firm (New York, NY, USA) reported that a subset of St. Jude Medical (Saint Paul, MN, USA) ICDs contained a security flaw and were vulnerable to unauthorized access. These claims were made without notifying St. Jude in advance, although no programmes or direct details of the exploit were provided. Immediate disclosure of flaws and subsequent compromise of a computer system are often termed 'zero-day' exploits, referring to the time that the manufacturer has had to examine code and issue a repair.

St. Jude vigorously denied that the device compromise were significant, citing lack of detail of the demonstration and inconsistencies. Furthermore, the Muddy Waters firm was 'short' St. Jude medical stock, and stood to profit on the drop of the value of the shares of St. Jude. In September of 2016, St. Jude issued a lawsuit against Muddy Waters for defamation.

Subsequent revelations during litigation showed the cybersecurity corporation MedSec (Miami, FL, USA) had notified Muddy Waters of the potential security issue, and no notice was given to St. Jude before claims widely made. As part of their defence, Muddy Waters hired an external information technology security firm, Bishop Fox (Tempe, AZ, USA), to conclusively demonstrate that the devices had truly been compromised and form an expert witness report, giving further details into the device security issue.

Security Vulnerabilities Identified

In the expert witness report,[1] Bishop Fox outlines the device attack and felt that the Muddy Waters accusations were accurate as described. The attack uses a Merlin@home system monitor that was compromised to gain authorization over the device and total control, a process known as 'rooting'. In general, electronic devices, whether cellphones, computers, or pacemaker system analyzers (PSA), operate in user modes which limits the control over the device, both for security purposes and internal safety to prevent unintended modification of critical programmes or parameters. However, to preserve this limitation of access there must be essentially perfect programming; once any hole is found the protection programmes themselves can be modified and the device is compromised.

The security group used the compromised St. Jude Merlin@home unit and a laptop, to issue commands to an unmodified St. Jude ICD that allowed delivery of a T-wave shock, switch off therapy, or drain the device battery (Figure 1A). The firm noted that this could turn the relatively easily obtainable home monitoring unit, together with a laptop, into a mobile device that could compromise devices and potentially have a lethal outcome. With modifications the range of the Merlin@home communication, nominally approximately 10 feet, could be increased (Figure 1B), allowing an attacker to scan a crowd or area to compromise a device from a distance.

Figure 1.

(A) Direct connection to the Merlin@home transmitter allows compromise of the device internal security and issue of commands to stock (unmodified, unpatched) implantable cardiac device. (B) A compromised Merlin device is portable, and with modification to increase transmission range could be used to scan crowds and issue commands or re-programme vulnerable devices.

St. Jude made design choices that generally assumed that the devices would not have their internal software compromised, and maintained secret keys that are common to communication to all devices. They used weakened, but still encrypted, methods of radiofrequency transmission. A real-world analogy is use of the same key for all houses in a gated community. Individual homes (patient devices) are still locked, and any intruder would have to get past the main gate, but once the key is known it is no longer a barrier to access, and there may be ways around the main gate (rooting device). A better policy is to maintain individual keys and strong encryption even within areas that typically should not be vulnerable to attack.

After initially denying presence of the security issue, St. Jude released firmware updates that improved security of affected devices. A Merlin@home update[2] was released in January 2017, and new device firmware was released in August 2017. There is a small but non-zero risk of placing the device in a backup safety mode or rendering it unresponsive with the update, and the balance of these dual low risks are left up to the patient and physician.

Food and Drug Administration Response

In April of 2017, the United States Food and Drug Administration (FDA) sent a warning letter[3] to St. Jude criticizing the inadequate response to a third party cybersecurity risk assessment from April 2015, which had previously outlined the weak encryption and the vulnerability associated with hard-coded universal locking codes. The letter noted that failure to promptly correct the violations may result in regulatory action being initiated by the FDA. The new device firmware[4] pushed to the system analysers contain updates that ensure compliance and update the security to strong encryption.