back to article MedSec's St Jude pacemaker hacks confirmed by pen-tester

St Jude Medical has suffered another setback in its lawsuit against Muddy Waters and security company MedSec. St Jude launched a defamation action against Muddy Waters and MedSec after their August revelation of vulnerabilities in its devices. Rather than following what's by now an industry-accepted disclosure process ( …

  1. David Roberts

    With or without a strong magnet?

    1. Solmyr ibn Wali Barad

      Indeed. If the vulnerability report omits a honking big magnet needed to pull it off, then the report is mostly moot. That is, there are things that have to be fixed eventually, but scare campaigns and blackmail are in no way justified.

      If there are other ways to access the implant at a distance, then yes, their claims would be valid.

      OK, time to fetch that PDF.

      1. Pompous Git Silver badge

        a honking big magnet
        It's not huge, about 70 mm x 20 mm. It is strong, presumably using a modern ferromagnetic core.

        1. Solmyr ibn Wali Barad

          "It's not huge"

          Yeah, I was kidding about that. Just needed an excuse to use word "honking" in the sentence. So sue me.

          As for the Merlin - there are plenty of things that have to be reworked. It certainly seems to be a bit more chatty than advertised. Implant is not completely read-only, it does react to some external transmissions and can be fooled into making some predefined actions at inconvenient moments.

          Nevertheless, not much reason to panic & perform choreography numbers à la headless chicken on fire.

          Not to mention that stock manipulations are still evil.

    2. Solmyr ibn Wali Barad

      Nothing about magnets in the report. But they could achieve few things via pwned Merlin@home base station - drain the implants battery with frequent polling requests and fool the implant to change its operating modes. Including going into the cardiac arrest mode that'll administer some juicy electric shocks.

      It's not really a re-programming at will, like claimed in some articles, but does have some possibilities to cause harm.

      Highly recommended reading.

      1. Pompous Git Silver badge

        Highly recommended reading.

        Indeed, though I have only skimmed it. Interesting in that I was assured by the cardiologist, the surgeon and the technician that the Merlin@home device is receive only from the POV of the CRT-D. Its transmissions are via the telephone connection to the St Jude server that passes on alerts to the cardiologist via SMS & email.

        If I was a Merkin, presumably I'd be lawyering up to sue the team responsible for keeping me alive. Curmudgeon that I am I have emailed my cardiologist to enhance his hard-earned holiday...

  2. Anonymous Coward
    Anonymous Coward

    How soon before government action is demanded because a black widow uses such a hack to kill a rich husband, claim it was a glitch, and claim insurance and inheritance?

    1. Solmyr ibn Wali Barad

      That'd have to be a very bright lady who is proficient with JTAG equipment and debuggers.


      1. Pompous Git Silver badge

        That'd have to be a very bright lady who is proficient with JTAG equipment and debuggers.

        Also know how cardiac resynchronisation via the three electrodes attached to the CRT-D works using some arcane (if you aren't trained in cardiology) software. The technologist told me that it took her 12 months to train up a recent uni graduate.

  3. allthecoolshortnamesweretaken

    The PDF makes for a very interesting read; some useful links in the references too.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon