Skip to main content

Hackers can use heart-rate monitors to send jolts to cardiac implants, experts say

1129714 autosave v1 hackers22
Shutterstock
There is an ongoing legal dispute taking place between St. Jude Medical Inc. and several companies and individuals over specific cardiac implants that are monitored by the Merlin.net Patient Care Network (PCN). The latest chapter in the ongoing battle appeared on Monday in a legal brief stating that cyber security experts hired by one of the defendants, Muddy Waters, have validated vulnerabilities in St. Jude’s monitoring service.

PCN is a service that monitors and reports cardiac information stemming from St. Jude Medical implanted devices spanning pacemakers (Assurity and Endurity) and Implantable Cardioverter Defibrillators (Ellipse and Fortify Assura). The provided Merlin@Home transmitter sits by the bedside and monitors the patient’s implant while they sleep, sending the information over a telephone, cellular, or broadband connection. This prevents patients from having to make a visit to the doctor for a device check.

Related Videos

However, hackers can reportedly gain access to these Merlin@Home devices and potentially kill the connected patient. St. Jude Medical says that is not possible, and filed a lawsuit against Muddy Waters, cyber research firm MedSec Holdings, Dr. Hemal M. Nayak, and Carson C. Block on September 7. The lawsuit claims that these companies and individuals are distributing false information about St. Jude Medical’s devices to manipulate its stock price, which dropped five percent the day the hacking accusations were disclosed.

In retaliation, the defendants filed the legal brief in U.S. district court in Minnesota on Monday. In addition to disputing St. Jude Medical’s stock-related claim, the brief includes an attached 53-page report provided by cyber security firm Bishop Fox detailing how hackers can gain access to Merlin@Home monitoring devices and kill patients by sending shocks or turning off specific functions.

Four videos of the Merlin@Home hacks can be seen here. As seen in the first video, hackers can use a laptop connected to a Merlin@Home device via a USB to Ethernet cable, the latter of which is used because the device already has everything needed to communicate directly to the St. Jude defibrillator or pacemaker. After that, the hacker can simply send a command to the implant.

The command information was originally found unencrypted on the Merlin programmer used to monitor and program a patient’s implant in-office. The command identification and execution process was aided by an attached developer tool that lists all the commands. In turn, these commands can change how the implant works. The laptop used in the hacking test relies on code put together by reverse engineering Java commands from the Merlin programmer.

“The commands can be executed because the communication protocol is poorly implemented and easily defeated,” the video states. “Even worse, there’s a critical, underlying vulnerability in the protocol, a universal key otherwise known as a back door. Just as the developers left debug code in the production apps of the Merlin@Home devices, they also carelessly and incompetently left a back door in their production code for the communication protocol.”

Thus, an attacker can open a communication channel to an implant and send an executable command, just like the medical technician overlooking the patient. Using this vulnerability, the MedSec research team could deliver an emergency shock, deliver a shock to correct ventricle defibrillation (Shock-On-T), specifically vibrate the defibrillator, and disable the function for controlling an abnormal rapid heart rate (tachycardia therapy).

Even more, commands can be combined. The research team could generate an attack that disables tachy therapy and then send a shock to correct a nonexistent ventricle problem, thus resulting in possible cardiac arrest. If that was not bad enough, the shock command channel can remain open, delivering a continual discharge.

Pacemakers and defibrillators can be controlled remotely at the doctor’s office by placing a circular wand over the implant. This allows the technician to program new instructions, and to test the device functions like manually speeding up and slowing down the heart rate. However, the Merlin@Home monitor obviously has the ability to connect and scan an implant without the wand peripheral.

Monday’s full report can be read here.

Editors' Recommendations

The best gaming monitors for 2023
Overwatch 2 running on the LG OLED 27 gaming monitor.

If you're looking for the best gaming monitor in 2023, Alienware's excellent 34 QD-OLED still takes the cake. However, it's not the perfect monitor for all gamers. We've reviewed dozens of monitors to find the top gaming displays you can buy right now, regardless of if you're chasing peak HDR experiences or high refresh rates for competitive titles.

We're focused specifically on gaming monitors here, which come with higher refresh rates and adaptive sync features like G-Sync and FreeSync. If you're looking for an all-around display, make sure to browse our list of the best monitors.

Read more
Watch ChatGPT come to life by powering this holographic AI companion
Looking Glass CEO, Shawn Frayne asks the holographic AI to complete the lyrics to the Rick Astley song Never Gonna Give You Up

ChatGPT is quickly being developed beyond its standard functionality on browsers and computer-based programs. One company has even created a "holographic AI companion" that uses the chatbot to bring its vision to life.

The company called Looking Glass recently shared on Twitter several demos of people interacting with its holographic AI companion, called Uncle Rabbit, which is able to communicate back-and-forth in real time with humans, while also completing tasks that people request.

Read more
This is how you can accidentally kill AMD’s best CPU for gaming
Someone holding the Ryzen 7 5800X3D in a red light.

It turns out that one of AMD's best gaming CPUs, the Ryzen 7 5800X3D, can accidentally be killed if you try to overclock it, and it's all because there are no limitations as to how far you can push the processor.

Igor Wallossek of Igor's Lab found that the software used for overclocking and overvolting Ryzen CPUs currently doesn't impose any limits when you try to ramp up the voltage. And that's a recipe for turning a fun performance boost into an overclocking nightmare.

Read more