With or without a strong magnet?
MedSec's St Jude pacemaker hacks confirmed by pen-tester
St Jude Medical has suffered another setback in its lawsuit against Muddy Waters and security company MedSec. St Jude launched a defamation action against Muddy Waters and MedSec after their August revelation of vulnerabilities in its devices. Rather than following what's by now an industry-accepted disclosure process ( …
COMMENTS
-
-
Tuesday 25th October 2016 11:01 GMT Solmyr ibn Wali Barad
Indeed. If the vulnerability report omits a honking big magnet needed to pull it off, then the report is mostly moot. That is, there are things that have to be fixed eventually, but scare campaigns and blackmail are in no way justified.
If there are other ways to access the implant at a distance, then yes, their claims would be valid.
OK, time to fetch that PDF.
-
-
Wednesday 26th October 2016 06:45 GMT Solmyr ibn Wali Barad
"It's not huge"
Yeah, I was kidding about that. Just needed an excuse to use word "honking" in the sentence. So sue me.
As for the Merlin - there are plenty of things that have to be reworked. It certainly seems to be a bit more chatty than advertised. Implant is not completely read-only, it does react to some external transmissions and can be fooled into making some predefined actions at inconvenient moments.
Nevertheless, not much reason to panic & perform choreography numbers à la headless chicken on fire.
Not to mention that stock manipulations are still evil.
-
-
-
Tuesday 25th October 2016 19:04 GMT Solmyr ibn Wali Barad
Nothing about magnets in the report. But they could achieve few things via pwned Merlin@home base station - drain the implants battery with frequent polling requests and fool the implant to change its operating modes. Including going into the cardiac arrest mode that'll administer some juicy electric shocks.
It's not really a re-programming at will, like claimed in some articles, but does have some possibilities to cause harm.
Highly recommended reading.
-
Tuesday 25th October 2016 22:09 GMT Pompous Git
Highly recommended reading.
Indeed, though I have only skimmed it. Interesting in that I was assured by the cardiologist, the surgeon and the technician that the Merlin@home device is receive only from the POV of the CRT-D. Its transmissions are via the telephone connection to the St Jude server that passes on alerts to the cardiologist via SMS & email.
If I was a Merkin, presumably I'd be lawyering up to sue the team responsible for keeping me alive. Curmudgeon that I am I have emailed my cardiologist to enhance his hard-earned holiday...
-
-
-
-
-
Tuesday 25th October 2016 22:14 GMT Pompous Git
That'd have to be a very bright lady who is proficient with JTAG equipment and debuggers.
Also know how cardiac resynchronisation via the three electrodes attached to the CRT-D works using some arcane (if you aren't trained in cardiology) software. The technologist told me that it took her 12 months to train up a recent uni graduate.
-
-