Hackable Cardiac Implants: We Could Have Helped
Your heart isn’t working like it used to, so the doctor recommends a cardiac implant to regulate how your cardiovascular system works. But, unfortunately, shortly after you have this radio frequency or just RF-connected device implanted inside your chest, the FDA announces the device is vulnerable to attacks that could allow malicious actors to take control of your device.
Even writing about this is entirely horrifying, let alone for those that had to experience such worry. The hacking of heart implants is so scary most people would rather assume this is a story or tall tale. But, sadly, this actually happened. Not even that long ago, just back in 2016 and 17.
The Beginning … June 2016
In the August of 2016, the world was warned that Cardiac implant devices designed and built by St Jude’s Medical (now owned by Abbot Laboratories) were vulnerable to several critical security flaws. The warning didn’t come from St. Jude, or the FDA, instead a security provider called MedSec in partnership with the investment firm Muddy Waters released a report detailing all these issues. The vulnerabilities they disclosed were severe enough that a malicious attacker could trivially take over and remotely control these life-saving devices.
Six months later, on January 9th, 2017, the FDA finally issued a Safety Communication and recall concerning patient safety issues related to “cybersecurity vulnerabilities” found in St. Jude Medical RF-enabled implantable cardiac devices as well as the Merlin@home Transmitter. The FDA warning went on to confirm that the vulnerabilities in question, when exploited, can let a malicious actor remotely access a patients implanted cardiac device by altering the Merlin@home transmitter.
What Could Be Done?
Once a transmitter is compromised, the remote unauthorized user has complete control over the cardiac implants connected to it. This access enables the malicious actor to modify the programming of the device. This modification could result in rapid battery depletion, which is scary but more firmly on the side of terrifying, this access can be used to administer inappropriate pacing or shocks. In more layperson’s terms, that means they can cause a cardiac event up to and INCLUDING death.
Let that sink in…. 465,000 people had devices INSIDE their chests that could be taken over by unauthorized third parties who could use these devices to KILL them….officially, no one was killed by these flaws, purely by luck.
Fixes Took Years…
St Jude, acquired by Abbot Laboratories not long after these flaws came to light, took at least six months to patch these vulnerabilities. But reports say they knew of these flaws and even knew of actual patient harm (including TWO deaths from premature battery depletion) that stemmed from flawed implanted devices since at least August of 2014. So that is YEARS with insecure and unsafe devices in hundreds of thousands of people’s bodies, keeping them alive until they were hacked or stopped working.
IoTSecure Could Have Helped
If any of those affected had been using IoTSecure’s solutions, the impact and severity of these flaws would have been severely reduced. Our solution is designed to help you manage unmanaged devices in myriad ways. For example, in the case of these cardiac implants, you can monitor any unmanaged devices, like the Merlin@home transmitter, and alert on ANY unexpected or suspicious traffic, effectively keeping the malicious actors from ever taking the transmitter over in the first place. Attacks like these would have much less impact if people took unmanaged devices seriously and kept them safe. They could have protected, in this case, their lives.
Learn more today about IoTSecure and what we can do to help you protect ALL your unmanaged devices at IoTSecure.io.