eugenesergeev - Fotolia

St. Jude Medical finally patches vulnerable medical IoT devices

News roundup: St. Jude Medical patches vulnerable medical IoT devices after a five-month controversy. Plus, the Email Privacy Act is reintroduced; Juniper warns of a firewall flaw; and more.

After months of denying the existence of a problem, St. Jude Medical released patches and guidance for security vulnerabilities in its internet of things, or IoT, medical devices.

The patches address vulnerabilities in the Merlin@home Transmitter, St. Jude Medical's remote monitoring system of implantable pacemakers and defibrillator devices. The security updates from St. Jude Medical arrived on the same day that the U.S. Food and Drug Administration (FDA) and the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team issued separate statements detailing the vulnerabilities and advice for healthcare providers, patients and caregivers.

"The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient's physician, to remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home Transmitter," the FDA said in its statement. "The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks."

The vulnerable medical IoT devices were originally found by security researcher MedSec in August 2016. MedSec partnered with investment research body Muddy Waters Capital and released a paper to the public disclosing the device vulnerabilities; the security flaws include flaws in the encryption of the radio frequency protocol used by the Merlin@home Transmitter remote monitoring system, as well as a backdoors to the devices.

At the time, St. Jude Medical denied the vulnerabilities' existence and subsequently filed a lawsuit against MedSec and Muddy Waters for defamation through false medical device security findings. The lawsuit remains ongoing.

St. Jude Medical has been criticized for not addressing the vulnerable devices for five months since the initial disclosure, being called "a particularly aggressive and hostile vendor" in a statement by Justine Bone, CEO and director at MedSec, based in Miami.

A separate statement from Muddy Waters also harshly criticized St. Jude Medical for the patches, saying "the announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants."

The statement from St. Jude Medical emphasizes the "extremely low cybersecurity risks" this vulnerability poses to the medical devices, and it advises users of the Merlin@home Transmitter to ensure it is powered on and connected to the internet so it can receive the automatic patch download.

The bigger picture of vulnerable devices

The FDA's guidance on handling the St. Jude Medical device vulnerabilities follows closely on the heels of its more general medical device cybersecurity guidance. Internet-connected devices are a growing security concern, and the FDA has focused on both general IoT device security and, specifically, medical IoT device security.

"In today's world of medical devices that are connected to a hospital's network or even a patient's own internet service at home, we see significant technological advances in patient care and, at the same time, an increase in the risk of cybersecurity breaches that could affect a device's performance and functionality," wrote Suzanne Schwartz, M.D., in a FDA blog post from Dec. 27, 2016.

The U.S. Federal Trade Commission also addresses the security risks associated with internet-connected devices with a recently launched contest to create a tool to protect home IoT devices.

In other news:

  • The Email Privacy Act was reintroduced on Jan. 9 by U.S. Reps. Kevin Yoder (R-Kan.) and Jared Polis (D-Colo.). The act, which updates the Electronic Communications Privacy Act (ECPA), requires all government agencies to obtain a warrant to search citizens' electronic communications. Previously, under the ECPA, the government could search any email older than 180 days stored on a third-party server without a warrant. "As a result of Congress' failure to keep pace with technological developments, every American is at risk of having their emails warrantlessly searched by government agencies," Polis said in a statement. "The Email Privacy Act will update, and bring our archaic laws into the 21st century, and protect Americans' Fourth Amendment privacy rights, whether they're communicating through pen-and-paper mail or email. Americans justly demand this level of privacy, and I remain confident that the bill will swiftly pass Congress." The bill unanimously passed the House of Representatives in 2016 419-0, but it didn't make it to the Senate Judiciary Committee for a vote.
  • Juniper Networks issued an advisory for a flaw in SRX Series firewalls that are upgraded using the partition option. The issue affects devices that are upgraded from Junos OS releases prior to 12.1X46-D65, but upgrading to a version of the OS without the flaw won't fix the problem. The flaw allows root logins without a password. While upgrading to an unaffected OS doesn't get rid of the flaw, according to the security bulletin, "the symptoms are immediately obvious after an affected upgrade and may be remediated by rebooting the device post-upgrade."
  • GoDaddy had to revoke more than 6,000 SSL certificates on Jan. 10 as a result of a software bug. GoDaddy learned of the bug on Jan. 6, though it was inadvertently introduced in July 2016. The bug affected approximately 6,100 GoDaddy customers -- less than 2% of the certificates issued since July 2016. "In a typical process, when a certificate authority like GoDaddy validates a domain name for an SSL certificate, they provide a random code to the customer and ask them to place it in a specific location on their website. When their system searches and finds the code, the validation is complete," explained Wayne Thayer, GoDaddy's vice president and general manager of security products. "However, when the bug was introduced, certain web server configurations caused the system to provide a positive result to the search, even if the code was not found." GoDaddy is reissuing the certificates -- 8,850 in total -- at no cost to the affected customers.
  • On the same day the annual ESET security report praised the Microsoft Edge browser for having no exploits in the wild, two Edge vulnerabilities were reportedly added to the Sundown exploit kit. The two vulnerabilities, tracked as CVE-2016-7200 and CVE-2016-7201, include issues with the Chakra JavaScript scripting engine in Edge. They were first reported by Google Project Zero and were fixed by Microsoft in November 2016. However, a proof-of-concept exploit was posted Jan. 4 by security firm Theori, and the security researcher known as Kafeine confirmed the exploits are being added to the Sundown exploit kit. The timing is unfortunate, since ESET's "Windows Exploitation in 2016" report sang high praises of Edge, reading "It is worth noting that in the last year, no vulnerabilities have been found for the Edge web browser that are known to have been exploited in the wild. From our point of view, this situation with Edge was predictable, because, unlike IE11, Edge keeps modern security features turned on by default."

Next Steps

Find out why some providers are holding off full-scale deployments of IoT medical devices

Learn more about IoT medical device security measures

Read why industry experts say medical devices must be secure by design

Dig Deeper on Network security

Enterprise Desktop
Cloud Computing