Hackers can use heart-rate monitors to send jolts to cardiac implants, experts say

PCN is a service that monitors and reports cardiac information stemming from St. Jude Medical implanted devices spanning pacemakers (Assurity and Endurity) and Implantable Cardioverter Defibrillators (Ellipse and Fortify Assura). The provided Merlin@Home transmitter sits by the bedside and monitors the patient’s implant while they sleep, sending the information over a telephone, cellular, or broadband connection. This prevents patients from having to make a visit to the doctor for a device check.

However, hackers can reportedly gain access to these Merlin@Home devices and potentially kill the connected patient. St. Jude Medical says that is not possible, and filed a lawsuit against Muddy Waters, cyber research firm MedSec Holdings, Dr. Hemal M. Nayak, and Carson C. Block on September 7. The lawsuit claims that these companies and individuals are distributing false information about St. Jude Medical’s devices to manipulate its stock price, which dropped five percent the day the hacking accusations were disclosed.

In retaliation, the defendants filed the legal brief in U.S. district court in Minnesota on Monday. In addition to disputing St. Jude Medical’s stock-related claim, the brief includes an attached 53-page report provided by cyber security firm Bishop Fox detailing how hackers can gain access to Merlin@Home monitoring devices and kill patients by sending shocks or turning off specific functions.

Four videos of the Merlin@Home hacks can be seen here. As seen in the first video, hackers can use a laptop connected to a Merlin@Home device via a USB to Ethernet cable, the latter of which is used because the device already has everything needed to communicate directly to the St. Jude defibrillator or pacemaker. After that, the hacker can simply send a command to the implant.

The command information was originally found unencrypted on the Merlin programmer used to monitor and program a patient’s implant in-office. The command identification and execution process was aided by an attached developer tool that lists all the commands. In turn, these commands can change how the implant works. The laptop used in the hacking test relies on code put together by reverse engineering Java commands from the Merlin programmer.

“The commands can be executed because the communication protocol is poorly implemented and easily defeated,” the video states. “Even worse, there’s a critical, underlying vulnerability in the protocol, a universal key otherwise known as a back door. Just as the developers left debug code in the production apps of the Merlin@Home devices, they also carelessly and incompetently left a back door in their production code for the communication protocol.”

Thus, an attacker can open a communication channel to an implant and send an executable command, just like the medical technician overlooking the patient. Using this vulnerability, the MedSec research team could deliver an emergency shock, deliver a shock to correct ventricle defibrillation (Shock-On-T), specifically vibrate the defibrillator, and disable the function for controlling an abnormal rapid heart rate (tachycardia therapy).

Even more, commands can be combined. The research team could generate an attack that disables tachy therapy and then send a shock to correct a nonexistent ventricle problem, thus resulting in possible cardiac arrest. If that was not bad enough, the shock command channel can remain open, delivering a continual discharge.

Pacemakers and defibrillators can be controlled remotely at the doctor’s office by placing a circular wand over the implant. This allows the technician to program new instructions, and to test the device functions like manually speeding up and slowing down the heart rate. However, the Merlin@Home monitor obviously has the ability to connect and scan an implant without the wand peripheral.

Monday’s full report can be read here.