FDA, Homeland Security Issue First Ever Recall, Warnings About Flimsy Pacemaker Security

from the your-heart-attack-has-an-IP-address dept

We’ve well established that the internet of things (IOT) market is a large, stinky dumpster fire when it comes to privacy and security. But the same problems that plague your easily hacked thermostat or e-mail password leaking refrigerator take on a decidedly darker tone when we’re talking about your health. The health industry’s outdated IT systems are a major reason for a startling rise in ransomware attacks at many hospitals, but this same level of security and privacy apathy also extends to medical and surgical equipment — and integral medical implants like pacemakers.

After a decade of warnings about dubious pacemaker security, researchers at Medsec earlier this year discovered that a line of pacemakers manufactured by St. Jude Medical were vulnerable to attacks that could kill the owner. The researchers claimed that St. Jude had a history of doing the bare minimum to secure their products, and did little to nothing in response to previous warnings about device security. St. Jude Medical’s first response was an outright denial, followed by a lawsuit against MedSec for “trying to frighten patients and caregivers.”

Ultimately, the FDA was forced to issue its first ever warning about the security of a pacemaker earlier this year, though the agency somewhat downplayed the potentially fatal ramifications:

“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.”

Inappropriate, indeed. St. Jude Medical has since been acquired by Abbott Laboratories, and back in April the FDA sent a warning to Abbott that it needed to design a comprehensive plan to fix the flaw (first revealed in August of last year) within fifteen days. That was followed up with a formal, voluntary recall notice issued by the FDA regarding the impacted pacemaker, believed to be the first such warning of its kind. In its warning, the FDA urged the estimated 400,000 owners of this pacemaker model to schedule a physician appointment for a firmware update, lest they find themselves quite literally hacked.

The FDA’s alert was also joined by a warning by the Department of Homeland Security outlining the problem as such:

“The pacemaker?s authentication algorithm, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications….The pacemakers do not restrict or limit the number of correctly formatted ?RF wake-up? commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life.”

Comforting. Many security experts have been quick to point out that this may be the turning point at which companies finally begin taking these sorts of problems more seriously. But the lengths it took to bring us to this point are downright comical, involving MedSec going so far as to at one point short St. Jude stock to bring necessary attention to the problem. Hopefully, the entire saga is a shot over the bow that other security-apathetic medical impact manufacturers will wisely heed.

Filed Under: , , , ,
Companies: st. jude medical

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “FDA, Homeland Security Issue First Ever Recall, Warnings About Flimsy Pacemaker Security”

Subscribe: RSS Leave a comment
Anonymous Coward says:


These flaws have not (that we know of publicly) killed anyone yet, nor even been used to substantially endanger anyone’s life. I don’t doubt that they could be used for those purposes, but until they are, I doubt the general public will care enough to cause any substantive change.

I am curious whether the process for updating the firmware to a non-vulnerable version is itself vulnerable to any dangerous flaws, such as loading it with unauthorized firmware.

I doubt such a law could go through, but it could be entertaining to see the results of a law that disallows disclaiming liability for known faults that lead to death. That would effectively allow the estate to pursue legal action against vendors who sell devices with known security defects. I assume no such law exists now, because if it did, the vendor would have rushed to fix this when the flaws were first announced, independent of any prompting by the FDA.

That Anonymous Coward (profile) says:

Re: Flaws

Well they had claimed that hacking pacemakers was impossibles & was only fiction in a Homeland story line.

This of course had nothing to do with another company shorting their stock & pointing out they were hackable. They kept saying it was impossible as they tried to ignore the data.

The notices suggest that when you get your firmware updated, perhaps some people should be in the hostpial ready to have outside pacing if the firmware bricks it.

They are much safer now, the new password is 12345 replacing 123 and making it much harder to hack them.

Anonymous Coward says:

Re: Flaws

These flaws have not (that we know of publicly) killed anyone yet, nor even been used to substantially endanger anyone’s life. I don’t doubt that they could be used for those purposes, but until they are, I doubt the general public will care enough to cause any substantive change.

Good job America has the FDA then.

The Baxter Colleague infusion pump was notorious for technical problems and AFAIK was implicated in a number of adverse incidents. Despite this, Baxter failed to make sufficient headway in resolving the problems, and in the end the FDA ordered that all such devices in the USA be recalled and destroyed.

nerd bert (profile) says:

Culture change required

I’m a hardware guy, and while I’ve not worked for St. Jude personally I’ve know many who worked there, at Medtronic, etc. In fact, the guy across the aisle is a veteran of those companies.

The problem at places like Medtronic is more cultural than anything. Medtronic is referred to internally as "The Country Club" for good reason: it’s a relatively slow moving tech company dominated by doctors and bureaucratic management. Now in general, that’s a good thing since your average techie is a little too willing to cut corners on verification than I’d like in a medical device, but it does lead to technological blind spots like in this case.

Trying to get a doctor interested in something that’s this esoteric and out of their sphere of knowledge as just about impossible. Doctors tend to be pretty dictatorial and when they don’t understand something like a tech issue, they just tend to ignore it as you can see from all the lax to non-existent security in just about all medical devices. In fact, one of the biggest complaints I’ve heard from the guys who worked in biomed companies is that it’s just about impossible for techies to get any input into serious decision or product specification. It makes it rather frustrating for techies in biomed companies who recognize real issues and yet get completely ignored and shut down. The fact biomed pays more poorly, equips its engineers with poor tools, and generally gives them little input into how things could be done isn’t a package that leads to excellence in the engineering staff overall. Although I know some very good engineers who work in biomed, they aren’t there for the pay or working conditions.

Most of these medical companies need to find a better way to balance the inputs of doctors and engineers. Right now there’s really no balance inside the companies.

Anonymous Coward says:

Re: Culture change required

Back when I worked in the pacemaker design business, many years ago, the lead design engineers were fully qualified as cardiac doctors as well as having doctorates in engineering from top universities. Their qualifications were so high that there were less than a dozen of them in whole world, at that time. They were anything but “out of their sphere of knowledge”. If what you describe is the state of things today then it has certainly changed.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...