As more and more devices gain connectivity, there are more opportunities for malicious individuals to steal your data, break things, and just generally make your life more difficult. At least you’ll still have your life, though. Now a security firm says that a connected implantable cardiac device made by Minnesota-based healthcare company St. Jude is susceptible to hacking, which can be life-threatening.
The device at issue here is an Implantable Cardioverter Defibrillator (ICD). This is essentially a more advanced version of a pacemaker. After implantation, it uses small flexible wires to detect your heart rate and applies an electric current to stop abnormal cardiac rhythms. An investment firm called Muddy Waters started warning about the safety of St. Jude’s ICD products recently, which has led to a legal battle. Muddy Waters is a short-selling operation, meaning it bets on a company’s stock price falling in order to make money. St. Jude says the allegation of security issues is simply meant to harm its stock price and is not based on a real danger.
As part of the ongoing case, Muddy Waters contracted with cyber security firm Bishop Fox to perform an independent analysis of St. Jude’s implantable cardiac devices. It recently produced a 53-page report where it says Muddy Waters’ claims regarding the possibility of ICD cyber attacks are “by and large accurate.”
St. Jude’s latest medical implants are different from past devices because they use a wireless protocol to communicate with a monitoring station called [email protected] It uses radio frequency signals to transmit and receive data from the implant, which saves patients from going to the doctor several times per year just to have the implant’s performance checked. However, Bishop Fox says it successfully hijacked this signal and was able to take control of the implant.
At a distance of 10 feet, researchers claim they were able to instruct the ICD to cease operation, then produce a powerful T-wave shock. A patient subjected to this attack could have a heart attack. That’s somewhat worse than having your family photos locked up by ransomware. Bishop Fox says it believes the same attack could be accomplished from as far as 100 feet away with more powerful equipment.
The claims are currently being investigated by St. Jude and the FDA, but the federal agency said patients should continue using their ICDs as instructed by doctors. If this turns out to be a real threat, the fix is going to be costly. It’s harder to recall defective electronics when they live inside your chest.