Skip to main content

Hackers can use heart-rate monitors to send jolts to cardiac implants, experts say

1129714 autosave v1 hackers22
Shutterstock
There is an ongoing legal dispute taking place between St. Jude Medical Inc. and several companies and individuals over specific cardiac implants that are monitored by the Merlin.net Patient Care Network (PCN). The latest chapter in the ongoing battle appeared on Monday in a legal brief stating that cyber security experts hired by one of the defendants, Muddy Waters, have validated vulnerabilities in St. Jude’s monitoring service.

PCN is a service that monitors and reports cardiac information stemming from St. Jude Medical implanted devices spanning pacemakers (Assurity and Endurity) and Implantable Cardioverter Defibrillators (Ellipse and Fortify Assura). The provided Merlin@Home transmitter sits by the bedside and monitors the patient’s implant while they sleep, sending the information over a telephone, cellular, or broadband connection. This prevents patients from having to make a visit to the doctor for a device check.

However, hackers can reportedly gain access to these Merlin@Home devices and potentially kill the connected patient. St. Jude Medical says that is not possible, and filed a lawsuit against Muddy Waters, cyber research firm MedSec Holdings, Dr. Hemal M. Nayak, and Carson C. Block on September 7. The lawsuit claims that these companies and individuals are distributing false information about St. Jude Medical’s devices to manipulate its stock price, which dropped five percent the day the hacking accusations were disclosed.

In retaliation, the defendants filed the legal brief in U.S. district court in Minnesota on Monday. In addition to disputing St. Jude Medical’s stock-related claim, the brief includes an attached 53-page report provided by cyber security firm Bishop Fox detailing how hackers can gain access to Merlin@Home monitoring devices and kill patients by sending shocks or turning off specific functions.

Four videos of the Merlin@Home hacks can be seen here. As seen in the first video, hackers can use a laptop connected to a Merlin@Home device via a USB to Ethernet cable, the latter of which is used because the device already has everything needed to communicate directly to the St. Jude defibrillator or pacemaker. After that, the hacker can simply send a command to the implant.

The command information was originally found unencrypted on the Merlin programmer used to monitor and program a patient’s implant in-office. The command identification and execution process was aided by an attached developer tool that lists all the commands. In turn, these commands can change how the implant works. The laptop used in the hacking test relies on code put together by reverse engineering Java commands from the Merlin programmer.

“The commands can be executed because the communication protocol is poorly implemented and easily defeated,” the video states. “Even worse, there’s a critical, underlying vulnerability in the protocol, a universal key otherwise known as a back door. Just as the developers left debug code in the production apps of the Merlin@Home devices, they also carelessly and incompetently left a back door in their production code for the communication protocol.”

Thus, an attacker can open a communication channel to an implant and send an executable command, just like the medical technician overlooking the patient. Using this vulnerability, the MedSec research team could deliver an emergency shock, deliver a shock to correct ventricle defibrillation (Shock-On-T), specifically vibrate the defibrillator, and disable the function for controlling an abnormal rapid heart rate (tachycardia therapy).

Even more, commands can be combined. The research team could generate an attack that disables tachy therapy and then send a shock to correct a nonexistent ventricle problem, thus resulting in possible cardiac arrest. If that was not bad enough, the shock command channel can remain open, delivering a continual discharge.

Pacemakers and defibrillators can be controlled remotely at the doctor’s office by placing a circular wand over the implant. This allows the technician to program new instructions, and to test the device functions like manually speeding up and slowing down the heart rate. However, the Merlin@Home monitor obviously has the ability to connect and scan an implant without the wand peripheral.

Monday’s full report can be read here.

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Best laptop deals: Save on HP, Lenovo, Dell and Apple
Asus ROG Zephyrus M16 playing Cyberpunk 2077.

Is it time to buy a new laptop? Then you've come to the right place, as we've gathered some of the best laptop deals that you can shop today. We've picked laptops for different budgets and needs, ranging from low-priced devices to high-end machines, including Chromebook deals, gaming laptop deals, and MacBook deals. You're going to have to hurry with your purchase if any of these offers catch your eye though, because we're not sure how much time you've got left to take advantage of them.
HP Stream 14 -- $179, was $209

If you just need a laptop to deal with basic functions like typing documents, doing online research, and watching streaming content, you can't go wrong with the HP Stream 14. It's equipped with the Intel Celeron N4020 processor, integrated Intel UHD Graphics 600, and 4GB of RAM, which are enough for simple tasks. The laptop also features a 14-inch HD screen, a battery life of up to 11.5 hours, and a 64GB eMMC with Windows 11 Home in S Mode pre-loaded. It even comes with a one-year subscription to Microsoft 365.

Read more
Best 2-in-1 laptop deals: Turn your laptop into a tablet for $198
Lenovo Yoga 9i 14 Gen 7 laptop sits on a small desk folded like a tent.

There are laptops, and then there are 2-in-1-laptops that offer you the best of both worlds. What worlds? You can seamlessly swap between a tablet-style device, by flipping the keyboard behind the display, or when you need it, instantly swap back to a traditional laptop with keyboard. It will completely evolve your productivity, if you've never used one before. The thing is, because of the extra functionality they offer, a 2-in-1-laptop can be expensive. But you’re in luck, as some of the best laptop deals currently taking place are discounts on 2-in-1 laptops. Many of the best laptop brands are currently seeing 2-in-1 models discounted, including the likes of HP, Lenovo, and Dell. We’ve tracked down all of the best 2-in-1 laptop deals taking place right now, so read onward for more details on what might make the best deal for you.
Asus CM3200 Chromebook — $198, was $229

While the best laptops often focus on delivering as much power as they can into their footprint, the best Chromebooks tend to focus on simplicity and delivering just the things more entry-level users need. This is true with the Asus CM3200 Chromebook, which comes in at under $200. This price point gets you quite a bit, including an HD touchscreen display, an 8-core processor, 4GB of RAM, and 64GB of internal storage space. This is generally plenty for base users like students, or professionals whose work doesn’t go much further beyond word processors, spreadsheets, and browsing the web.

Read more
Dell XPS 13 and Dell XPS Desktop are both discounted right now
The Dell XPS 13, open on a table in front of a window.

If you're having trouble choosing between buying a new laptop or desktop computer, the good news is that you can enjoy significant savings if you purchase either one from the available Dell XPS deals. Here are two offers that you should consider -- the Dell XPS 13 for just $599, following a $200 discount on its original price of $799, and the Dell XPS Desktop for $1,150, after a $330 discount on its sticker price of $1,480. If you're interested in taking advantage of one of these bargains, you're going to have to hurry because they may disappear sooner than you think.
Dell XPS 13 -- $599, was $799

If you want your next computer to be portable, then the Dell XPS 13 is a fine choice. It's included in our roundup of the best laptops as the top Windows laptop, as it offers amazing value for its price. It's capable of keeping up with your daily activities with its 12th-generation Intel Core i5 processor, integrated Intel Iris Xe Graphics, and 8GB of RAM, and you've got plenty of storage in its 256GB SSD that ships with Windows 11 Home pre-loaded. The Dell XPS 13 is also easy on the eyes, not just because of it's stylish design but also due to its 13.4-inch screen with Full HD+ resolution.

Read more