Security of St. Jude Pacemakers

This is a good summary article about the horrible security of St. Jude pacemakers, and the history of the company not doing anything about it.

Posted on May 3, 2017 at 10:25 AM • 26 Comments

Comments

Clive RobinsonMay 3, 2017 11:41 AM

@ Bruce,

If I remember correctly the first "public" outing of St Judes was an investment house that gave them a "don't touch with a barge pole" rating and went on to explain why, and from that point on it was doen hill for them.

KevinMay 3, 2017 11:53 AM

It's worth noting that there don't seem to have been any deaths related to the cyber security issue. Although the article says, 'The government concluded that St. Jude Medical, "time and again, failed to adhere to internal security and product-quality guidelines, a lapse that resulted in at least one patient death,"' the death referred to has to do with a defect related to the pacemaker's internal battery: the FDA letter refers to bridging within the battery cells.

ElliotMay 3, 2017 1:08 PM

I wonder if the death of a executive or two would help organizations like this to do better? Couldn't hurt to try

Clive RobinsonMay 3, 2017 2:37 PM

I couldn't find the original link I posted here when the Muddy Waters report came out, but the report it's self has probably been pulled, it was not at all complementry.

But I have another nagging thought in the back of my head about one of the GWBush cleaque. It came out in late 2013 that Dick Cheney had the radio interface on his pacemaker removed back in 2007,

http://www.theverge.com/2013/10/21/4863872/dick-cheney-pacemaker-wireless-disabled-2007

When you read what he said, it makes you wonder if certain agencies --that are not the FDA-- in the US Gov know rather more about medical implants than is good for those they are being pushed into on mass by the US Medical Insurance industry...

albertMay 3, 2017 4:45 PM

This is an example of holding their feet to the fire. We need more of this sort of thing. When manufacturers don't give a rats ass about security, why even give them a chance by reporting their products vulnerabilities? Only those who fix the problems should be given a pass. The rest can go to hell.

Furthermore, St. Jude Medical actually sued the exposers. -That's- how the business world works. Finally, the FDA (the useful tool of Big Pharma) admitted that St. Jude Medical knew about the problems.

Those of you who believe regulation is going to fix things, had better think again. Do I think Muddy Waters and MedSec are the good guys? No. In fact, I immediately suspected market manipulation.

@Kevin,
What was the follow-up on the battery failure? Was anything done about it? Companies lax in one area are usually lax in others.

. .. . .. --- ....

bobMay 3, 2017 5:32 PM

I worked on a medical implant R&D effort a while back. I pointed out that there was no security on the MICS (Medical Implant Control System) RF link, and that some decent public key crypto was needed, or at least openssl. The response was that the device needed to minimize battery consumption, and crypto was too cpu intensive for this application. The lame excuse was the limited 10 foot range. I pointed out that Dick Cheney (yes, I used him as an example!) could be riding on an airplace and be within 10 feet of someone who would like to assinate him.

On a similar note, I worked on an energy management project many years ago and pointed out how a "hacker" (that word was still under is original meaning back then) could synchronize the power cycling of a large number of loads and crash the grid thereby. I was told not to talk about it!

Business has timelines to meet and investors to satisfy. These are short term goals. Security is almost always a reactive problem: it only gets fixed after an incident calls attention to the defect.

I have worked on DO178/B level A aviation projects and I know that a good regulatory authority can force a vendor to meet required standards, but the standards must already be in place. The medical device industry in the US is FDA regulated, and is generally behind IEC 62304 European standards, and even those did not have crypto requirements for RF medical device controls.

I won't even talk about how poor security is for medical devices used in hospitals, but think critical life support devices running windoze xp on a wifi network!

albertMay 3, 2017 7:07 PM

@bob,

Sadly, it's typical. The FAA has typically dragged its feet on regulation. When an air disaster happens, then they act. Often, standards are revised or even new standards are written. Unfortunately, many lives are sacrificed. Are you familiar with the Therac-25 debacle?

The FDA, FDA, EPA, FCC, etc. are quickly descending into irrelevance, aided by Trump & Co.

Thanks for the info.

I think a lot of engineers might do well to keep an email trail containing these discussions, and memos pointing out the problems. They may need it when the lawsuits come.

BTW, Cheney has been 'assinated' for a long time:)

. .. . .. --- ....

DroneMay 4, 2017 5:22 AM

I worked for a pacemaker manufacturer many years ago. In order to communicate with the device, you first had to hold a special puck which encapsulated strong magnet in a certain orientation on the skin right over the implant. This would close a reed switch which completed a circuit that allowed the implant to communicate.

Does the magnetic puck afford strong security against attack? No, but an attacker would have to obtain the puck then go to some lengths to use it on a conscious, informed, and unwilling victim.

It would have been possible to inductively couple power to a circuit in the implant that would afford some form of encryption while not draining the pacemaker's battery (which is usually not rechargeable, even in today's devices). But that was deemed to be even less secure than the magnet, and a possible single point of failure far less reliable than the simple reed switch.

The philosophy at the implant device manufacturer was reliability, efficacy, and device longevity. Adhering to these goals almost always produced simple yet elegant solutions.

CallMeLateForSupperMay 4, 2017 9:03 AM

"hardcoded universal unlock code"

Say no more; that pretty much covers it.

Clive RobinsonMay 4, 2017 10:40 AM

@ CallMeLate...,

Say no more; that pretty much covers it.

The problem of course is the First Responder / ER issue.

If your pacemaker starts giving you the jolt treatment to get you break dancing around the place, you probably would consider an off switch desirable.

The simple fact is that for all our failings humans are generaly more reliable than machines, and whilst we generaly don't get to upset when a machine breaks the opposite is true of our loved ones. Which is why ambulance chasing lawyers can earn sufficient money to put a bucket of champagne on the table every night.

So the question is how do you put an "emergancy off button" in an electronic device that's buried somewhere inside of you? Whilst also adding safeguards against misuse?

It's a hard problem than privacy and one the likes of the FDA should have been considering a third of a century or so ago when the first "wireless" implanted medical devices were being developed.

John MacdonaldMay 4, 2017 11:01 AM

@Clive - that is exactly the same problem as providing a crypto backdoor that the good guys can use but is secure against the bad guys (for a variety of definitions of good and bad :-)

i.e. - it is an impossible goal to achieve

Clive RobinsonMay 4, 2017 12:15 PM

@ John Macdonald,

that is exactly the same problem as providing a crypto backdoor that the good guys can use but is secure against the bad guys

Yes they are very much the same technically, but socially they are worlds apart.

Only those we have good reason to mistrust such as the FBI's Mr Comey and the UK's PM Theresa May apear to want backdoors at "any price". However most of us would want an emergency stop button on our implanted medical devices in the same way we want good brakes on road vehicles.

Thus can we get one without the other and if so how. It's something I've been thinking about off and on for most of this century so far.

It also has other implications such as self driving vehicles, and quite a few other things. Hopefully it's something the academic community will get it's teeth into fairly soon, before we get realy stupid legislation passed.

albertMay 4, 2017 12:47 PM

@Drone, Clive, Call..,
"...while not draining the pacemaker's battery (which is usually not rechargeable, even in today's devices)...."

Contact-less battery recharging has been around for decades. Why wasn't it considered?

How about a nuclear power source? ("The Terminal Man" - Crichton - book is better than movie) Gives new meaning to the term 'heart warming'.

Implanted devices are -not- immune to EM interference.

. .. . .. --- ....

bobMay 4, 2017 12:51 PM

Emergency stop was invented along with the railroad.

For implantable devices, the magnet is a good solution. To improve, applying the magnet would do an emergency stop, and wait for a properly encrypted RF connection. After that, it is prbably "safe enough" to allow an authorized device to communicate with the implant.

Unfortunately, emergency stop does not work well for airplanes -- you can't just pull over and wait on a cloud for the AAA tow truck to arive. You gotta keep that baby under control via "graceful degradation". The last resort in an electrical failure is the "drop the RAT". (RAT == Ram Air Turbine, a wind powered generator propelled by the forward motion of the aircraft. It provides "just enough" power to keep critical electronics and avionic sensors and actuators working.) Many planes have been saved by the RAT.

Clive RobinsonMay 4, 2017 2:58 PM

@ Albert,

Contact-less battery recharging has been around for decades. Why wasn't it considered?

The problem is finding a battery that could be safely put inside you that can be recharged once a week for fifteen to thirty years (~5K cycles).

As far as I'm aware there is no battery technology even close.

As for nuclear batteries the problem if I remember correctly was the very small risk of cremation with the battery still in place. Basically you'ld get a lot of "hot" radioactive material disappearing up the chimney to poison people down wind for a mile or so. Kind of like a small scale "dirty bomb".

anonMay 4, 2017 9:03 PM

Nobody has mentioned a reliable audit trail.

The main attraction of futzing with a pacemaker to murder (or assault) somebody appears to be stealth. A device that figuratively, or literally, screamed "b****y murder" would go a long way to removing that advantage. It probably would not identify the murderer, but it could ensure the same investigation as a body with an icepick in the ear.

TSMay 5, 2017 4:45 AM

If replacement or charging is an issue, why not just add an outlet?
(all matrix style n such) at the shoulder in this case, so you can plug in during the evening to charge the pacemaker. Or would that give the same issue as charging wirelessly?

Clive RobinsonMay 5, 2017 8:04 AM

@ TS,

why not just add an outlet ... so you can plug in during the evening to charge the pacemaker.

To charge what?

It's the item that holds the charge be it a rechargeable battery or super capacitor that is the problem not the rest of the electronics.

Put simply all charge storage devices that can hold a significant charge have two problems. Firstly they have short lifetimes due to various chemical factors. Secondly many of their failure modes lead to swelling of the charge storage device thus splitting and discharge of quite unplesant if not dangerous chemicals.

One of the safer technologies considered at one point used various silver compounds. Which had a disadvantage like silver based anti smoking tablets, that although not particularly poisonous (nitrate LD50 ~2.7g/Kg) it did find it's way under the skin causing "Argyria" (a permanent slate-blue discoloration of thc skin etc).

The advantage of nuclear batteries was that they were basically thermal electric generators and not prone to splitting or other problems with half lives of fifty years or more.

A side issue on energy storage devices is underground nuclear waste dumps. Due to a requirment for inspection they need a door that might only be opened once every twenty to a hundred years, but needs to be securely locked at all other times for upwards of a thousand years. The search for a hundred year electrical energy storage system has so far had to go the mechanical route and use falling masses to drive generators...

BaughnMay 6, 2017 6:42 AM

@TS

On top of what Clive said, installing a permanent port in the body is—as far as I know—still an unsolved problem. Temporary ports are used, but there's always a risk of infection which requires continuous monitoring; the complexity of your pre-existing ports (such as the mouth), at the biochemical level, are a good indication of hard it'd be to avoid that.

DroneMay 6, 2017 11:42 PM

@albert,

Yes, contact-less battery recharging has been around a long time. And there are rechargeable implantable devices - perhaps even some heart pacers (I don't know about). However...

* The drawbacks associated with using rechargeable batteries in implantable heart-pacer devices outweigh the seeming advantages. At least that was the situation decades ago when I was in the Industry, and I believe it still holds true today:

1. Rechargeable battery chemistries have higher self-discharge rates than non-rechargeable chemistries. This means you need to recharge more often, using up the limited number of recharges in the process.

2. In the vast majority of implanted heart-pacers, non-rechargeable batteries will last a long time, often longer than the patient will live.

3. If there is no longevity advantage to recharging, there's no point in adding the complexity of recharging. Increasing complexity typically decreases reliability - and reliability is paramount when it comes to designing heart-pacer devices.

* Do not lose sight of the commercial and legal aspects of adding rechargeable capability:

A. The number of patients that may benefit from rechargeable pacemakers is quite small compared to the number of typical pacer recipients. This small installed base does not justify the huge cost and years of testing required by the FDA to bring a new device to market.

B. Adding rechargeable technology adds more opportunity for the device to fail. And every time a device fails, greedy Trial Lawyers swoop down from the branches to feed upon the carcass of the manufacturer.

* What about special or extreme cases you ask?

One might think that using rechargeable technology would be justified in patients with life-spans longer than the life of a non-rechargeable battery - like Children.

But this turns out not to be the case. Heart-pacers use insulated leads with conductive tips that are inserted into the heart. As a child grows, these leads need to be repositioned and/or replaced. This is a minimally invasive procedure that will occur often enough that if-needed the pacer device itself can be replaced at the same time.

For long-term adult pacemaker wearers, replacing the pacer device is so infrequent and minimally invasive, it is deemed better to replace one highly reliable device with another that is just as reliable and long-lived.

* And what about the "Nuclear" heart-pacer?

Implantable medical devices with Radioisotope Thermoelectric Generator (RTG) power sources have been made before (and may even be made today - but I don't know of any). But any advantage RTG technology has have over chemical batteries hasn't been enough to justify commercial adoption of the technology.

Then there is the non-scientific part of society that is obsessed with Political Ecology. Nothing associated with the word "Nuclear" is acceptable to these people - no matter how factually beneficial it may be. Just mentioning something like a "Nuclear Heart-Pacer" to these Loons sends them into the right-half plane.

jckhmrMay 7, 2017 6:24 AM

Where I come from, St. Jude is who some people pray to in order to turnaround 'hopeless cases' ... the irony isn't lost on me re. St Jude pacemakers..

albertMay 7, 2017 5:04 PM

@Clive, @Drone, et al,

Thanks for setting me straight.

In the "Terminal Man", the subject goes psycho, and ends up getting shot by police (against medical advice), which breaks the seal of the power source. He gets buried in a lead-lined coffin.

It's a good read and has nothing to do with pacemakers:)

. .. . .. --- ....

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.