The Internet of Things has been getting a lot of bad press in recent weeks. Not long ago, an army of enslaved smart devices was used to bring much of the internet in the United States to its knees for several hours. A few weeks before that, an exploit in a “smart” insulin pump was demonstrated that could potentially allow a bad guy to kill the patient relying on it by ordering an insulin injection when none was needed.
Now, there’s a new chapter in the ongoing parade of bad news for internet-connected devices. This time, it revolves around a series of cardiac implants and monitoring devices that are monitored by the Merlin.net Patient Care Network.
Researchers recently released a series of Youtube videos outlining in details the means by which criminals could take control of the monitoring equipment and either turn it off, or deliver a defibrillation charge to a patient who didn’t need one, essentially shocking their heart at-will. Worse, the attacker could opt to leave the defibrillator running, essentially giving the patient a continuous, ongoing shock until death occurred.
St. Jude Medical Center, which relies heavily on the Merlin service, flatly denies that the attack is possible, and insists that it is a publicity stunt designed to damage the company’s stock price. The evidence presented by the video, however, is both clear and compelling.
An investigation is currently underway, and lawsuits have been filed, so it will likely be some time before the full truth comes out, but one thing we know for certain.
So-called “smart” devices are notoriously bad when it comes to digital security. We’ve seen too many high profile cases in which significant damage has been done for no other reason than the fact that equipment manufacturers can’t be bothered to put reasonable security measures in place on the equipment they sell. This isn’t the first time a medical device has been identified as containing critical security flaws.
If you have been issued a cardiac monitoring device that relies on the Merlin.net monitoring service, beware. There is not, as of yet, a fix of any kind that will prevent this attack.