“The announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants.”
- Carson Block, Muddy Waters CEO
On Monday, January 9, 2017, the FDA reported that St. Jude Medical implantable cardiac devices and corresponding Merlin@home Transmitters are susceptible to hacking.
The cybersecurity vulnerabilities were discovered last August in a paper released by Muddy Waters, but was only recently made public after a software patch was released by manufacturer St. Jude Medical. The security flaw would allow unauthorized access to a patient's RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The Merlin@home Transmitter can be exploited by altering programming commands, which could result in battery depletion and/or inappropriate administration of pacing/shocks.
A validated software patch has since been released for Merlin@home Transmitters. "The FDA conducted an assessment of the benefits and risks of using the Merlin@home Transmitter, and has determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks," the Food and Drug Administration stated on Monday.
This brings to attention the impending and growing risk of possible cyber attacks as the number of devices connected to the IoT increases. It is now possible for hackers to literally "play with your life" as they can now make their ways into life saving technologies.
There have been no reports of deaths or injuries associated with the security flaw.