US FDA warns of vulnerabilities in pacemakers

The US Food and Drug Administration has issued a warning about vulnerabilities in St. Jude Medical’s implantable cardiac devices, including pacemakers. This would allow an attacker to send commands to the devices.

In the warning, the FDA writes that an attacker can make contact with a device via an RF connection and then, for example, drain the battery or shock a person. These findings are the result of an organization’s own investigation into the safety of St. Jude Medical’s devices. This focused in particular on the ‘Merlin@home’ transmitters, which make contact with a home monitor via an RF connection. The latter can then forward the data to the attending physician.

St. Jude Medical says in its own message that it has released patches for the vulnerable devices. It even speaks of a ‘very low risk’ that attackers would exploit the leaks. So far, there have been no reports of users falling victim to an attack. The deficiencies in St. Jude Medical’s products were initially identified in a study by the company MedSec.

It said St. Jude is “far behind in security” and has done nothing to ensure the safety of its customers for quite some time. For example, the company has been aware of the security problems since 2013. St. Jude responded to MedSec’s findings at the time, saying they were inaccurate.

This is not the first time vulnerabilities in devices such as pacemakers have been found. For example, in 2012, security researcher Barnaby Jack found software vulnerabilities in pacemakers, which could potentially be exploited with deadly consequences. In October of last year, the American company Johnson & Johnson warned about vulnerabilities in an insulin pump, after researcher Jack also did this for Medtronic devices in 2011.