St. Jude Medical admits new cardiac device flaws discovered, issues patch update

The medical device maker has fixed another Merlin@home Transmitter flaw which makes them vulnerable to cyberattacks.
Written by Charlie Osborne, Contributing Writer
Wikimedia Commons

St. Jude Medical has promised a patch to protect the Merlin@home Transmitter range from cyberattacks, only a month after patching a variety of security flaws in similar devices.

The medical device equipment manufacturer issued an update to an ICS-CERT security advisory this week warning of the impending update.

According to the notice, a third-party security research firm warned St. Jude that the Merlin@home transmitter radio-frequency (RF) and "inductive" models are vulnerable to man-in-the-middle (MITM) attacks which allow attackers to remotely compromise the device and eavesdrop on communication between the transmitter and devices connected to it.

The company says the security flaw exposes data transferred "between Merlin.net and transmitter endpoints," including embedded cardiac devices.The vulnerability, CVE-2017-5149, has been deemed critical with a base score of 8.9.

The Merlin@home transmitter is described as a device which "allows for remote care management of patients with implanted cardiac devices through scheduled transmissions, patient-initiated transmissions, and daily monitoring."

St. Paul, Minnesota-based St. Jude says that the Merlin@home transmitters prior to version 8.2.2, RF model EX1150 and inductive models EX1100 -- as well as another version of EX1100 with MerlinOnDemand capability -- are vulnerable to MITM attacks.

St. Jude has developed an updated version of the transmitter software, version 8.2.2, which will be rolled out over the next few months to devices that are connected to the Internet.

The medical equipment maker suggests that patients keep their devices powered and connected at all times to receive the update.

In January this year, following months of denial that any St. Jude medical devices contained security vulnerabilities, the equipment maker finally acknowledged that seven bugs -- first reported by MedSec -- existed.

Despite taking the issue to court and vehemently denying MedSec's findings were accurate, St. Jude eventually developed and pushed out an automatic update to fix the security issues discovered in the Merlin remote monitoring system.

St. Jude may not have handled things in the best way when the vulnerabilities first came to light months ago, but at least the medical device maker appears to be making some effort to improve the security of devices in use by healthcare organizations and patients.

Speaking to ZDNet, Jim DeLorenzo, solutions manager at Thales e-Security said that "digital birth certificates" which contain strong encryption and unique identifiers and are implemented at the manufacturing stage could help protect future medical devices and patient data by preventing fraudulent firmware updates.

10 steps to erase your digital footprint

Editorial standards