SoylentNews

-- OriginalOwner_ writes:

TechDirt reports:

[The week of January 12,] the FDA was forced to issue a warning, noting that security vulnerabilities in the St. Jude Medical implantable cardiac device and corresponding Merlin@home Transmitter could be a serious problem. It's notable as it's the first time we've seen the government publicly acknowledge this specific type of threat.

The St. Jude Medical Merlin@home Transmitter uses a home monitor to transmit and receive RF signals wirelessly to the pacemaker. But the FDA found that this transmitter was vulnerable to attack, with the press release politely tap dancing around the fact that said vulnerability could be used to kill:

"The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient's physician, to remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks."

According to the FDA, they have no evidence of anybody dying because of the vulnerability yet. They're also quick to note that St. Jude Medical issued a patch on January 9 that fixes this vulnerability.

Apparently, the "Move on; nothing to see here" claims were wrong.
University of Michigan Says Flaws That MedSec Reported Aren't That Serious
...and the "Let's look closely at these" lot were right way back when.
US Security Agencies Look at Medical Device Security

Original Submission