Skip to main content

Hackers can use heart-rate monitors to send jolts to cardiac implants, experts say

1129714 autosave v1 hackers22
Shutterstock
There is an ongoing legal dispute taking place between St. Jude Medical Inc. and several companies and individuals over specific cardiac implants that are monitored by the Merlin.net Patient Care Network (PCN). The latest chapter in the ongoing battle appeared on Monday in a legal brief stating that cyber security experts hired by one of the defendants, Muddy Waters, have validated vulnerabilities in St. Jude’s monitoring service.

PCN is a service that monitors and reports cardiac information stemming from St. Jude Medical implanted devices spanning pacemakers (Assurity and Endurity) and Implantable Cardioverter Defibrillators (Ellipse and Fortify Assura). The provided Merlin@Home transmitter sits by the bedside and monitors the patient’s implant while they sleep, sending the information over a telephone, cellular, or broadband connection. This prevents patients from having to make a visit to the doctor for a device check.

However, hackers can reportedly gain access to these Merlin@Home devices and potentially kill the connected patient. St. Jude Medical says that is not possible, and filed a lawsuit against Muddy Waters, cyber research firm MedSec Holdings, Dr. Hemal M. Nayak, and Carson C. Block on September 7. The lawsuit claims that these companies and individuals are distributing false information about St. Jude Medical’s devices to manipulate its stock price, which dropped five percent the day the hacking accusations were disclosed.

In retaliation, the defendants filed the legal brief in U.S. district court in Minnesota on Monday. In addition to disputing St. Jude Medical’s stock-related claim, the brief includes an attached 53-page report provided by cyber security firm Bishop Fox detailing how hackers can gain access to Merlin@Home monitoring devices and kill patients by sending shocks or turning off specific functions.

Four videos of the Merlin@Home hacks can be seen here. As seen in the first video, hackers can use a laptop connected to a Merlin@Home device via a USB to Ethernet cable, the latter of which is used because the device already has everything needed to communicate directly to the St. Jude defibrillator or pacemaker. After that, the hacker can simply send a command to the implant.

The command information was originally found unencrypted on the Merlin programmer used to monitor and program a patient’s implant in-office. The command identification and execution process was aided by an attached developer tool that lists all the commands. In turn, these commands can change how the implant works. The laptop used in the hacking test relies on code put together by reverse engineering Java commands from the Merlin programmer.

“The commands can be executed because the communication protocol is poorly implemented and easily defeated,” the video states. “Even worse, there’s a critical, underlying vulnerability in the protocol, a universal key otherwise known as a back door. Just as the developers left debug code in the production apps of the Merlin@Home devices, they also carelessly and incompetently left a back door in their production code for the communication protocol.”

Thus, an attacker can open a communication channel to an implant and send an executable command, just like the medical technician overlooking the patient. Using this vulnerability, the MedSec research team could deliver an emergency shock, deliver a shock to correct ventricle defibrillation (Shock-On-T), specifically vibrate the defibrillator, and disable the function for controlling an abnormal rapid heart rate (tachycardia therapy).

Even more, commands can be combined. The research team could generate an attack that disables tachy therapy and then send a shock to correct a nonexistent ventricle problem, thus resulting in possible cardiac arrest. If that was not bad enough, the shock command channel can remain open, delivering a continual discharge.

Pacemakers and defibrillators can be controlled remotely at the doctor’s office by placing a circular wand over the implant. This allows the technician to program new instructions, and to test the device functions like manually speeding up and slowing down the heart rate. However, the Merlin@Home monitor obviously has the ability to connect and scan an implant without the wand peripheral.

Monday’s full report can be read here.

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
What is Gemini Advanced? Here’s how to use Google’s premium AI
Google Gemini on smartphone.

Google's Gemini is already revolutionizing the way we interact with AI, but there is so much more it can do with a $20/month subscription. In this comprehensive guide, we'll walk you through everything you need to know about Gemini Advanced, from what sets it apart from other AI subscriptions to the simple steps for signing up and getting started.

You'll learn how to craft effective prompts that yield impressive results and stunning images with Gemini's built-in generative capabilities. Whether you're a seasoned AI enthusiast or a curious beginner, this post will equip you with the knowledge and techniques to harness the power of Gemini Advanced and take your AI-generated content to the next level.
What is Google Gemini Advanced?

Read more
AMD Zen 5: everything we know about AMD’s next-gen CPUs
A hand holding AMD's Ryzen 9 9950X.

AMD Zen 5 is the next-generation Ryzen CPU architecture for Team Red. And after a major showing at Computex 2024, it's ready for a July launch. AMD promises major performance advantages for the new architecture that will give it a big leap in performance in gaming and productivity tasks, and the company also claims it will have major leads over Intel's top 14th-generation alternatives, allowing it to compete among the best processors.

We'll need to wait for the release to know for sure how these chips perform, but here's what we know about Zen 5 so far.
Zen 5 release date, availability, and price
AMD confirmed that the Ryzen 9000 desktop processors will launch on July 31, 2024, which marks two weeks after the launch date of the Ryzen AI 300. The initial lineup includes the Ryzen 9 9950X, the Ryzen 9 9900X, the Ryzen 7 9700X, and the Ryzen 5 9600X.

Read more
How to clean a mouse pad — the right way
The Glorious Model O 2 Pro mouse sitting on a desk.

Even the latest and most "exciting" mouse mats can get dirty after long-term use. So it's a good idea to clean your mouse pad now and again — it not only looks better but it's more hygienic, too.

Here's how to clean your mouse pad to get it back to near-new condition.

Read more