Hackers can use heart-rate monitors to send jolts to cardiac implants, experts say

1129714 autosave v1 hackers22
Shutterstock
There is an ongoing legal dispute taking place between St. Jude Medical Inc. and several companies and individuals over specific cardiac implants that are monitored by the Merlin.net Patient Care Network (PCN). The latest chapter in the ongoing battle appeared on Monday in a legal brief stating that cyber security experts hired by one of the defendants, Muddy Waters, have validated vulnerabilities in St. Jude’s monitoring service.

PCN is a service that monitors and reports cardiac information stemming from St. Jude Medical implanted devices spanning pacemakers (Assurity and Endurity) and Implantable Cardioverter Defibrillators (Ellipse and Fortify Assura). The provided Merlin@Home transmitter sits by the bedside and monitors the patient’s implant while they sleep, sending the information over a telephone, cellular, or broadband connection. This prevents patients from having to make a visit to the doctor for a device check.

However, hackers can reportedly gain access to these Merlin@Home devices and potentially kill the connected patient. St. Jude Medical says that is not possible, and filed a lawsuit against Muddy Waters, cyber research firm MedSec Holdings, Dr. Hemal M. Nayak, and Carson C. Block on September 7. The lawsuit claims that these companies and individuals are distributing false information about St. Jude Medical’s devices to manipulate its stock price, which dropped five percent the day the hacking accusations were disclosed.

In retaliation, the defendants filed the legal brief in U.S. district court in Minnesota on Monday. In addition to disputing St. Jude Medical’s stock-related claim, the brief includes an attached 53-page report provided by cyber security firm Bishop Fox detailing how hackers can gain access to Merlin@Home monitoring devices and kill patients by sending shocks or turning off specific functions.

Four videos of the Merlin@Home hacks can be seen here. As seen in the first video, hackers can use a laptop connected to a Merlin@Home device via a USB to Ethernet cable, the latter of which is used because the device already has everything needed to communicate directly to the St. Jude defibrillator or pacemaker. After that, the hacker can simply send a command to the implant.

The command information was originally found unencrypted on the Merlin programmer used to monitor and program a patient’s implant in-office. The command identification and execution process was aided by an attached developer tool that lists all the commands. In turn, these commands can change how the implant works. The laptop used in the hacking test relies on code put together by reverse engineering Java commands from the Merlin programmer.

“The commands can be executed because the communication protocol is poorly implemented and easily defeated,” the video states. “Even worse, there’s a critical, underlying vulnerability in the protocol, a universal key otherwise known as a back door. Just as the developers left debug code in the production apps of the Merlin@Home devices, they also carelessly and incompetently left a back door in their production code for the communication protocol.”

Thus, an attacker can open a communication channel to an implant and send an executable command, just like the medical technician overlooking the patient. Using this vulnerability, the MedSec research team could deliver an emergency shock, deliver a shock to correct ventricle defibrillation (Shock-On-T), specifically vibrate the defibrillator, and disable the function for controlling an abnormal rapid heart rate (tachycardia therapy).

Even more, commands can be combined. The research team could generate an attack that disables tachy therapy and then send a shock to correct a nonexistent ventricle problem, thus resulting in possible cardiac arrest. If that was not bad enough, the shock command channel can remain open, delivering a continual discharge.

Pacemakers and defibrillators can be controlled remotely at the doctor’s office by placing a circular wand over the implant. This allows the technician to program new instructions, and to test the device functions like manually speeding up and slowing down the heart rate. However, the Merlin@Home monitor obviously has the ability to connect and scan an implant without the wand peripheral.

Monday’s full report can be read here.

Computing

AMD Ryzen CPU prices get slashed ahead of Ryzen 3000 release

AMD's Ryzen CPUs have had their prices slashed as we edge towards the release of their third generation. Whether you're a gamer or someone who needs multi-threaded performance, there's a deal for everyone with some heavy discounts to take…
Movies & TV

The best movies on Netflix in March, from Buster Scruggs to Roma

Save yourself from hours wasted scrolling through Netflix's massive library by checking out our picks for the streamer's best movies available right now, whether you're into explosive action, witty humor, or anything else.
Movies & TV

The best shows on Netflix right now (April 2019)

Looking for a new show to binge? Lucky for you, we've curated a list of the best shows on Netflix, whether you're a fan of outlandish anime, dramatic period pieces, or shows that leave you questioning what lies beyond.
Movies & TV

The best movies on Amazon Prime Video right now (April 2019)

Amazon Prime Video provides subscribers with access to a host of fantastic films, but sorting through the catalog can be a major undertaking. Luckily, we've done the work for you. Here are the best movies on Amazon Prime Video right now.
Computing

The number pad on HP’s Chromebook 15 makes spreadsheet work a breeze

HP's Chromebook 15 comes with a 15.6-inch display, a metal keyboard deck with full-size keys, and a dedicated number pad, making it the second Chromebook model, following Acer's Chromebook 715, to be suited for spreadsheet work.
Computing

Worried about your online privacy? We tested the best VPN services

Browsing the web can be less secure than most users would hope. If that concerns you, a virtual private network — aka a VPN — is a decent solution. Check out a few of the best VPN services on the market.
Computing

AMD’s 2020 Ryzen CPUs could have a big boost in power efficiency

The sequel to AMD's Zen 2-based Ryzen 3000 CPUs is slated for a 2020 release and when it arrives, could leverage the new Zen 3 architecture to deliver impressive gains to performance and power efficiency.
Computing

Gaming on a laptop has never been better. These are your best options

Gaming desktops are powerful, but they tie you down to your desk. For those of us who prefer a more mobile experience, here are the best gaming laptops on the market, ranging from budget machines to maxed-out, wallet-emptying PCs.
Computing

Here's how you can download the best free music players for your Mac

Tired of your Mac's default music player? Take a look at our picks for the best free music players available for your Apple rig. Whether you're a casual listener or an audiophile, you're sure to find something that fits your needs here.
Computing

Want to make calls across the internet for less? Try these great VOIP services

Voice over IP services are getting more and more popular, but there are still a few that stand above the pack. In this guide, we'll give you a few options for the best VOIP services for home and business users.
Gaming

Transform into the ultimate leader with our tips and tricks for Civilization 6

Civilization VI offers both series veterans and total newcomers a lot to chew on from the get-go. Here are some essential starting tips to help you master the game's many intricacies.
Computing

The iPhone’s Screen Time and Siri Shortcuts could land on Macs this year

For its desktop computers, it appears that Apple may continue to draw from the iPhone for inspiration. iOS 12 features, like Screen Time and Siri Shortcuts, are believed to be making their way to MacOS this year at WWDC in June.
Computing

Dell slashes prices of XPS 13 and Alienware 17 laptops in latest promo

Dell's latest promotion will score you big savings on the XPS 13 or the Alienware 17. The stylish XPS 13's discount is for $430, and only the rose gold model is on sale, while gamers who choose the Alienware 17 will save $860.
Computing

Lenovo’s Yoga C930 sale drops a $650 discount on its 2TB SSD laptop

Lenovo is offering one of its 2-in-1 laptops at a $650 discount. This Lenovo Yoga C930 laptop comes with a 2TB solid-state drive, a digital pen, a fingerprint reader, and a Dolby Atmos sound bar.