ICSMA-17-009-01A_St. Jude Merlin@home Transmitter Vulnerability (Update A)

Plan Patch8.9ICS-CERT ICSMA-17-009-01AJan 9, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

St. Jude Merlin@home wireless transmitters for implantable cardiac devices contain a cryptographic weakness in wireless communication protocol. Affected models (Inductive EX1100, EX1100 with MerlinOnDemand, RF EX1150) with firmware versions below 8.2.2 do not adequately protect wireless transmissions between the home transmitter and the implanted device. An attacker with RF equipment within wireless range could intercept, replay, or forge commands to the cardiac device, potentially altering therapy settings or device operation. The vulnerability exists in CWE-300 (Channel and Path Errors) class and affects the confidentiality and integrity of wireless patient monitoring data and device control.

What this means

What could happen

An attacker could intercept wireless communications with an implantable cardiac device transmitter and execute unauthorized commands, potentially altering device settings or disrupting critical patient monitoring and therapy delivery.

Who's at risk

Hospitals and cardiac care clinics that deploy or support St. Jude Merlin@home implantable cardiac device transmitters. Patients using these wireless home transmitters are directly affected, particularly those in dense residential or multi-unit environments where RF interference or eavesdropping is possible. Biomedical technicians and IT staff supporting remote patient monitoring systems are responsible for risk assessment.

How it could be exploited

An attacker within wireless range of the patient's home transmitter could intercept unencrypted or weakly encrypted communications between the transmitter and the implanted cardiac device. By replaying or forging wireless packets, the attacker could inject malicious commands to modify device parameters or stop normal operation.

Prerequisites

Wireless range of the Merlin@home transmitter (typically within ~30 feet in a home setting)
RF equipment capable of receiving and transmitting on the device frequency band
No authentication required to send commands to the transmitter

Remotely exploitable via wireless signalNo authentication requiredAffects medical device with patient safety implicationsNo fix available for affected product versionsWireless communication vulnerability

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

Inductive models EX1100:< 8.2.2No fix (EOL)

Inductive models EX1100 with MerlinOnDemand capability:< 8.2.2No fix (EOL)

RF models EX1150:< 8.2.2No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDIsolate affected transmitter models (Inductive EX1100, EX1100 with MerlinOnDemand, RF EX1150) from wireless range when not actively used for patient monitoring; store in RF-shielded enclosure if available

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HARDENINGReview patient locations and home network environment; work with St. Jude to identify high-risk patient populations (e.g., those in multi-unit buildings or near public spaces)

HARDENINGEstablish procedure to audit transmitter firmware version; coordinate with St. Jude for device-specific security guidance or potential firmware updates if released

HOTFIXMonitor St. Jude security advisories and contact vendor to confirm end-of-life status and request patch availability timeline

CVEs (1)

CVE-2017-5149

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f0523f98-fc69-4b8d-9c93-fe48f87b73ce