Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

MedSec's St Jude pacemaker hacks confirmed by pen-tester

Bishop Fox report says Merlin@Home vulns are real and deadly

St Jude Medical has suffered another setback in its lawsuit against Muddy Waters and security company MedSec.

St Jude launched a defamation action against Muddy Waters and MedSec after their August revelation of vulnerabilities in its devices.

Rather than following what's by now an industry-accepted disclosure process (contact the manufacturer, and give them time to make a fix before publishing), MedSec partnered with Muddy Waters to short St Jude's stock.

Last week, MedSec published videos demonstrating its attacks, but St Jude dismissed the videos as “unverified claims”.

In a new court filing, an independent security research might make “unverified” harder to sustain.

MedSec has posted this document (PDF) to its Website (it doesn't yet appear in The Register's search of the case's court records on the PACER system).

The report, written by Carl Livitt, a partner in security and penetration testing firm Bishop Fox, replicated first-hand “many of the attacks” first made public in August.

In particular, Livitt says Bishop Fox found the St Jude Merlin@Home system could be exploited to interfere with pacemaker function, stop ICDs (implantable cardioverter defibrillators) from delivering therapy, drain device batteries, and get administrative access to the systems.

The report also says there is, as Muddy Waters/MedSec asserted, a backdoor in St Jude's wireless protocol, and that it would be “relatively easy” for a programmer to find.

Bishop Fox was able to take over systems from a distance of about three metres (10 feet).

The Register has contacted St Jude for comment. ®

Update: St Jude has responded with the following e-mail:

"Yesterday Muddy Waters and MedSec responded to the lawsuit that St. Jude Medical filed against them in September. We took that action to hold these firms accountable for their false and misleading tactics, to set the record straight about the security of our devices, and to help cardiac patients and their doctors make informed medical decisions about our products that enhance and save lives every day.

"We continue to feel this lawsuit is the best course of action to make sure those looking to profit by trying to frighten patients and caregivers are held accountable for their actions.

"Our lawyers are reviewing the response from Muddy Waters and MedSec and will respond through appropriate legal channels." ®

Similar topics

TIP US OFF

Send us news


Other stories you might like