St. Jude heart implant devices can be hacked, security researchers say

Security experts hired by the short-selling firm Muddy Waters said in a legal brief filed today that cardiac implants made by St. Jude Medical can be hacked. If hackers can pwn your heart device, the researchers say, they can kill you–from as far away as 100 feet.

At issue is the Merlin@Home transmitter, which according to St. Jude "allows efficient remote care management of patients with implanted cardiac devices through scheduled transmissions and daily alert monitoring."

Merlin@Home by St. Jude Medical, a remote cardiac device transmitter for health care use.

Merlin@Home by St. Jude Medical, a remote cardiac device transmitter for health care use.

The security firm Bishop Fox published a 53-page report attached to the legal brief filed Monday in a Minnesota U.S. district court on behalf of the Muddy Waters, which hired Bishop Fox to perform the security analysis, in defense against a lawsuit filed by St. Jude.

"I found that Muddy Waters' and MedSec's statements regarding security issues in the St. Jude Medical implant ecosystem were, by and large, accurate," said Bishop Fox partner Carl Livit in an introduction to the report.

No comment from St. Jude so far.

From Reuters:

The report said that the wireless communications protocol used in St. Jude cardiac devices is vulnerable to hacking, making it possible for hackers to convert the company's Merlin@home patient monitoring devices into "weapons" that can cause cardiac implants to stop providing care and deliver shocks to patients.

Bishop Fox tested the attacks from 10 feet (3 meters) away, but said that might be extended to 45 feet (13.7 meters) with an antenna, or 100 feet (30.5 meters) with a transmitting device known as a software defined radio.

Related reading: "Statement from Bishop Fox on Muddy Waters and MedSec Response to St. Jude Medical Lawsuit"