St. Jude Medical is facing fresh allegations its heart implant devices are vulnerable to cyberattacks. The claims were introduced by the defense as part of St. Jude’s defamation lawsuit against short seller Muddy Waters and security firm MedSec.
In a legal filing submitted Monday, experts hired by Muddy Waters and MedSec back their claims that St. Jude’s cardiac implants are vulnerable to cyberattacks. The report is from independent security firm Bishop Fox, whose testimony was presented as evidence to the federal court in Minnesota hearing the case.
“Muddy Waters’ and Med Sec’s statements regarding security issues in the St. Jude Medical implant ecosystem were, by and large, accurate,” the Bishop Fox report concluded.
“My overall opinion regarding the security of the St. Jude Medical implantable cardiac device ecosystem is that the security measures I observed do not meet the security requirements of a system responsible for safeguarding life-sustaining equipment implanted in patients,” wrote Carl Livitt, the author of the Bishop Fox report.
This latest salvo is part of an ongoing legal battle that began in August when Muddy Waters released a report based on research conducted by Med Sec that blasted St. Jude for implanting pacemakers in hundreds of thousands of patients that were vulnerable to potentially “catastrophic” cyberattacks. The move was an attempt to hurt St. Jude’s stock value so that Muddy Waters could benefit from a short position it held on St. Jude stock.
Then in September, St. Jude sued Muddy Waters for defamation and said stood behind the safety and security of its devices.
In the interim, The Food and Drug Administration and Department of Homeland Security also launched their own investigation into the Med Sec and Muddy Waters claims. According to the FDA and DHS, both agencies are recommending users of St. Jude’s cardiac implants to continue to use the devices while they review Med Sec and Muddy Waters’ claims.
According to Bishop Fox’s expert testimony on behalf of Muddy Waters, St. Jude’s cardiac devices have serious wireless protocol security vulnerabilities “that make it possible to convert Merlin@home (the pacemaker’s management console equipment) devices into weapons capable of disabling therapeutic care and delivering shocks to patients at distances of 10 feet.” That range of 10 feet, according to Livitt, can be extended to as much as 100 feet with the use of additional antennas.
Bishop Fox said for its report it worked with a number of well-known computer security experts including cryptography expert Matthew Green, assistant professor at Johns Hopkins University, Drew Porter, founder of Red Mesa, specializing in radio frequency security, and Joe Grand, founder of Grand Idea Studio, specializing in hardware security.
In response to the report St. Jude issued the following statement to Threatpost:
“Today Muddy Waters and Med Sec responded to the lawsuit that St. Jude Medical filed against them in September. We took that action to hold these firms accountable for their false and misleading tactics, to set the record straight about the security of our devices, and to help cardiac patients and their doctors make informed medical decisions about our products that enhance and save lives every day.
We continue to feel this lawsuit is the best course of action to make sure those looking to profit by trying to frighten patients and caregivers are held accountable for their actions.
Our lawyers are reviewing the response from Muddy Waters and Med Sec and will respond through appropriate legal channels.”
From the beginning, St. Jude has denied the claims made by Muddy Waters in its report. “The allegations are absolutely untrue,” St. Jude CTO Philip Ebeling said in a statement in September. “There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts with specifically Merlin@Home and all our devices.”
St. Jude’s defamation suit claims that Med Sec’s original report was an intentional attempt to affect St. Jude’s stock price. At the market’s close on Monday, St. Jude was trading at $79.42 a share, up 0.08 percent from the opening bell.