SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-324416197] St. Jude Merlin@home Transmitter Vulnerability

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2017-01-09OtherSt. Jude MedicalMedSec HoldingsN/ACVE-2017-5149 N/AN/AN/A

Source

						
							
								
#
# St. Jude Merlin@home Transmitter Vulnerability
#


### OVERVIEW

MedSec Holdings has identified a channel accessible by non-endpoint ("man-in-the-middle") vulnerability in St. Jude Medical's Merlin@home transmitter. St. Jude Medical has validated the vulnerability and produced a new software version that mitigates this vulnerability. A third-party security research firm has verified that the new software version mitigates the identified vulnerability.
This vulnerability could be exploited remotely. An attacker with high skill would be able to exploit this vulnerability.
The Food and Drug Administration (FDA) has released safety communication, Cybersecurity Vulnerabilities Identified in St. Jude Medical's Implantable Cardiac Devices and Merlin@home Transmitter, to alert users about the identified vulnerability and corresponding mitigation as well as to provide recommendations to patients and healthcare providers. In response, NCCIC/ICS-CERT is releasing this advisory to provide additional information to patients and healthcare providers.



### AFFECTED PRODUCTS

The following Merlin@home transmitter versions are affected:
Merlin@home, versions prior to Version 8.2.2



### IMPACT

Successful exploitation of this vulnerability may allow a remote attacker to access or influence communications between Merlin.net and transmitter endpoints.
ICS-CERT recommends that patients and healthcare providers evaluate the impact of this vulnerability based on their specific usage after reviewing the information referenced in this advisory and to contact the vendor for assistance with any questions or concerns related to this vulnerability.



### BACKGROUND

St. Jude Medical is a US-based company headquartered in St. Paul, Minnesota.
The affected product, the Merlin@home transmitter, allows for remote care management of patients with implanted cardiac devices through scheduled transmissions, patient-initiated transmissions, and daily monitoring. According to St. Jude Medical, the Merlin@home transmitter is deployed across the Healthcare and Public Health sector. St. Jude Medical estimates that this product is used worldwide.



### VULNERABILITY CHARACTERIZATION

# VULNERABILITY OVERVIEW

CHANNEL ACCESSIBLE BY NON-ENDPOINT ("MAN-IN-THE-MIDDLE")a
The identities of the endpoints for the communication channel between the Merlin@home transmitter and St. Jude Medical's web site, Merlin
et, are not verified. This may allow a remote attacker to access or influence communications between the identified endpoints.
CVE-2017-5149b has been assigned to this vulnerability. A CVSS v3 base score of 8.9 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H)




### VULNERABILITY DETAILS

# EXPLOITABILITY

This vulnerability could be exploited remotely.



# EXISTENCE OF EXPLOIT

No known public exploits specifically target this vulnerability.



# DIFFICULTY

An attacker with high skill would be able to exploit this vulnerability.



### MITIGATION

St
Jude Medical has developed updated software for the Merlin@home transmitter that mitigates the identified vulnerability and provides additional security enhancements.
The new version of the Merlin@home transmitter software, Version 8.2.2, will be automatically updated over a period of several months, when the Merlin@home transmitter is connected to an Ethernet, WiFi, cellular network, or a landline
St
Jude Medical recommends that users keep Merlin@home transmitters powered and connected at all times to receive this update and future updates.
For additional information about the vulnerability or the software update process, users can review information from St
Jude Medical at:
http://media.sjm.com/newsroom/news-releases/news-releases-details/2017/St-Jude-Medical-Announces-Cybersecurity-Updates/default.aspx


Patients and healthcare providers with questions can call the Merlin hotline at
1-877-696-3754 or visit www.sjm.com/Merlin


for more information.
The FDA has issued safety communication, Cybersecurity Vulnerabilities Identified in St
Jude Medical's Implantable Cardiac Devices and Merlin@home Transmitter, which includes recommendations for patients and healthcare providers and is available at the following location:
http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm535843.htm
St
Jude Medical is continuing to work with