St. Jude Medical produced new software that mitigates a channel accessible by non-endpoint (“man-in-the-middle”) vulnerability in its Merlin@home transmitter, according to a report with ICS-CERT.
A third-party security research firm has verified that the new software version mitigates the identified remotely exploitable vulnerability, discovered by MedSec Holdings.
As a result of the vulnerability, the Food and Drug Administration (FDA) released a safety communication, Cybersecurity Vulnerabilities Identified in St. Jude Medical’s Implantable Cardiac Devices and Merlin@home Transmitter, to alert users about the identified vulnerability and corresponding mitigation as well as to provide recommendations to patients and healthcare providers. In response, ICS-CERT released an advisory to provide additional information to patients and healthcare providers.
Merlin@home, versions prior to Version 8.2.2 suffer from the issue.
Successful exploitation of this vulnerability may allow a remote attacker to access or influence communications between Merlin.net and transmitter endpoints.
St. Jude Medical is a St. Paul, Minnesota-based company.
The affected product, the Merlin@home transmitter, allows for remote care management of patients with implanted cardiac devices through scheduled transmissions, patient-initiated transmissions, and daily monitoring. The Merlin@home transmitter sees action across the healthcare and public health sector. St. Jude Medical said the product sees use on a global basis.
In terms of the vulnerability, the identities of the endpoints for the communication channel between the Merlin@home transmitter and St. Jude Medical’s web site, Merlin.net, are not verified. This may allow a remote attacker to access or influence communications between the identified endpoints.
CVE-2017-5149 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.9.
No known public exploits specifically target this vulnerability. However, an attacker with high skill would be able to exploit this vulnerability.
St. Jude Medical developed updated software for the Merlin@home transmitter that mitigates the identified vulnerability and provides additional security enhancements.
The new version of the Merlin@home transmitter software, Version 8.2.2, will automatically update over a period of several months, when the Merlin@home transmitter connects to an Ethernet, WiFi, cellular network, or a landline. St. Jude Medical recommends users keep Merlin@home transmitters powered and connected at all times to receive this update and future updates.
For additional information about the vulnerability or the software update process, users can review information from St. Jude Medical.
Patients and healthcare providers with questions can call the Merlin hotline at 877-696-3754 or visit the St. Jude Medical web site.
The FDA issued safety communication, Cybersecurity Vulnerabilities Identified in St. Jude Medical’s Implantable Cardiac Devices and Merlin@home Transmitter, which includes recommendations for patients and healthcare providers.
St. Jude Medical is continuing to work with ICS-CERT and the FDA to address additional security issues. As additional information becomes available, ICS-CERT in coordination with the FDA, will release additional information products.