Bishop Fox says Merlin@Home vulns are real and deadly
St Jude Medical has suffered another setback in its lawsuit against Muddy Waters and security company MedSec.
St Jude launched a defamation action against Muddy Waters and MedSec after their August revelation of vulnerabilities in its devices.
Rather than following what’s by now an industry-accepted disclosure process (contact the manufacturer, and give them time to make a fix before publishing), MedSec partnered with Muddy Waters to short St Jude’s stock.
Last week, MedSec published videos demonstrating its attacks, but St Jude dismissed the videos as “unverified claims”.
In a new court filing, an independent security research might make “unverified” harder to sustain.
MedSec has posted this document (PDF) to its Website (it doesn’t yet appear in The Register’s search of the case’s court records on the PACER system).
The report, written by Carl Livitt, a partner in security and penetration testing firm Bishop Fox, replicated first-hand “many of the attacks” first made public in August.
In particular, Livitt says Bishop Fox found the St Jude Merlin@Home system could be exploited to interfere with pacemaker function, stop ICDs (implantable cardioverter defibrillators) from delivering therapy, drain device batteries, and get administrative access to the systems.
The report also says there is, as Muddy Waters/MedSec asserted, a backdoor in St Jude’s wireless protocol, and that it would be “relatively easy” for a programmer to find.
Bishop Fox was able to take over systems from a distance of about three metres (10 feet).
The Register has contacted St Jude for comment. ®