Heart implants from St. Jude Medical could be hacked and used to deliver shocks to the patients using them, according to new filings in an ongoing court case against the medical device manufacturer.

The two organizations making the allegations, security provider MedSec and investment research firm Muddy Waters, originally released a vulnerability report back in August, targeted at St. Jude Medical. The report alleged that the manufacturer’s heart devices, such as pacemakers and defibrillators, had security vulnerabilities that made them susceptible to cyber attacks, presenting an obvious risk to patients.

As ZDNet’s Charlie Osborne reported, St. Jude fired back with a lawsuit in September, claiming that the report was misleading. Now, St. Jude is facing its own legal issues, with a new report from from independent security firm Bishop Fox entered as evidence against the medical device manufacturer.

SEE: Information security policy template (Tech Pro Research)

The original report from MedSec and Muddy Waters claimed that certain cyber attacks could drain pacemaker batteries, or make the device beat faster. Originally reported by Kaspersky Labs’ Threatpost, the latest report said that the St. Jude Medical cardiac devices could be weaponized to disable therapeutic care and shock patients from 10 feet away.

The new report, which came from Bishop Fox’s Carl D. Livitt, also noted that it believes the original report from MedSec and Muddy Waters to be “by and large, accurate.”

“My overall opinion regarding the security of the St. Jude Medical implantable cardiac device ecosystem is that the security measures I observed do not meet the security requirements of a system responsible for safeguarding life-sustaining equipment implanted in patients,” the report stated.

Despite the claims, Threatpost suggested that the original report was an attempt by MedSec to benefit from lowering St. Jude’s stock value. Regardless, the Food and Drug Administration (FDA) and Department of Homeland Security (DHS) are currently investigating the St. Jude devices.

The news comes shortly after the catastrophic Dyn DDoS attack, which left many of the world’s biggest websites unusable. The Dyn attack, which was attributed in part to IoT vulnerabilities, showcased the need for better security for connected devices. However, the St. Jude allegations show just how much more can be at risk if a connected device isn’t properly secured.

The 3 big takeaways for TechRepublic readers

  1. A new report claims that St. Jude heart implants, like pacemakers, can be hacked and weaponized against the patients using them.
  2. The report is the latest in an ongoing legal battle between St. Jude and Muddy Waters and MedSec, who filed an original report claiming that the St. Jude devices were vulnerable to cyber attacks.
  3. The potential for cyberattacks to affect such a crucial piece of equipment further highlights the need for better IoT and connected device security.