MedSec's St Jude pacemaker hacks confirmed by pen-tester
Bishop Fox report says Merlin@Home vulns are real and deadly
St Jude Medical has suffered another setback in its lawsuit against Muddy Waters and security company MedSec.
St Jude launched a defamation action against Muddy Waters and MedSec after their August revelation of vulnerabilities in its devices.
Rather than following what's by now an industry-accepted disclosure process (contact the manufacturer, and give them time to make a fix before publishing), MedSec partnered with Muddy Waters to short St Jude's stock.
Last week, MedSec published videos demonstrating its attacks, but St Jude dismissed the videos as “unverified claims”.
In a new court filing, an independent security research might make “unverified” harder to sustain.
MedSec has posted this document (PDF) to its Website (it doesn't yet appear in The Register's search of the case's court records on the PACER system).
The report, written by Carl Livitt, a partner in security and penetration testing firm Bishop Fox, replicated first-hand “many of the attacks” first made public in August.
In particular, Livitt says Bishop Fox found the St Jude Merlin@Home system could be exploited to interfere with pacemaker function, stop ICDs (implantable cardioverter defibrillators) from delivering therapy, drain device batteries, and get administrative access to the systems.
The report also says there is, as Muddy Waters/MedSec asserted, a backdoor in St Jude's wireless protocol, and that it would be “relatively easy” for a programmer to find.
Bishop Fox was able to take over systems from a distance of about three metres (10 feet).
The Register has contacted St Jude for comment. ®
Update: St Jude has responded with the following e-mail:
"Yesterday Muddy Waters and MedSec responded to the lawsuit that St. Jude Medical filed against them in September. We took that action to hold these firms accountable for their false and misleading tactics, to set the record straight about the security of our devices, and to help cardiac patients and their doctors make informed medical decisions about our products that enhance and save lives every day.
"We continue to feel this lawsuit is the best course of action to make sure those looking to profit by trying to frighten patients and caregivers are held accountable for their actions.
"Our lawyers are reviewing the response from Muddy Waters and MedSec and will respond through appropriate legal channels." ®