Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Muddy Waters, MedSec Respond to St. Jude Lawsuit

Investment research firm Muddy Waters and security company MedSec have responded to St. Jude Medical’s lawsuit and hired outside experts to back their claims that some of St. Jude’s cardiac products are affected by serious vulnerabilities.

Investment research firm Muddy Waters and security company MedSec have responded to St. Jude Medical’s lawsuit and hired outside experts to back their claims that some of St. Jude’s cardiac products are affected by serious vulnerabilities.

Muddy Waters and MedSec contracted security consulting firm Bishop Fox to provide an expert opinion on St. Jude implantable cardiac devices. In its report, Bishop Fox said the statements made by Muddy Waters and MedSec are accurate and that St. Jude products “do not meet the security requirements of a system responsible for safeguarding life-sustaining equipment implanted in patients.”

MedSec has been criticized for disclosing the vulnerabilities before giving the vendor a chance to release patches. However, in a blog post published on Monday, MedSec CEO and Director Justine Bone pointed out that the details of the uncovered vulnerabilities have not been made public. Bishop Fox has also been asked to withhold critical details.

“At the same time the Muddy Waters report was published we privately shared details with the FDA and DHS. We invited both organizations into our labs and also offered to visit theirs. MedSec also invited these details be shared with St Jude via the government agencies, and we extended an offer of direct assistance to St. Jude. We still today have heard nothing back from St. Jude outside of public and legal accusations,” Bone said.

In their response to the St. Jude lawsuit, Muddy Waters and MedSec reiterated their claims, now backed by Bishop Fox, and said the lawsuit is without merit.

The existence of the flaws affecting St. Jude products was disclosed as part of an investment strategy, but the claims have not had a significant impact on the medical device manufacturer’s stock, which soared in late April after Abbott Laboratories announced its intention to acquire the firm for $25 billion.

St. Jude has denied that its products have critical vulnerabilities and it recently announced the formation of a Cyber Security Medical Advisory Board whose goal is to “help ensure that St. Jude Medical’s cyber security protections continue to be innovative without jeopardizing patient care.”

MedSec and Muddy Waters have published several videos apparently showing damaging attacks against cardiac devices manufactured by St. Jude. However, some medical device security experts said MedSec might have misinterpreted the results of its attacks, making them look more damaging than they actually are.

UPDATE. St. Jude has provided SecurityWeek the following statement:

Today Muddy Waters and MedSec responded to the lawsuit that St. Jude Medical filed against them in September. We took that action to hold these firms accountable for their false and misleading tactics, to set the record straight about the security of our devices, and to help cardiac patients and their doctors make informed medical decisions about our products that enhance and save lives every day.


We continue to feel this lawsuit is the best course of action to make sure those looking to profit by trying to frighten patients and caregivers are held accountable for their actions.


Our lawyers are reviewing the response from Muddy Waters and MedSec and will respond through appropriate legal channels.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Application Security

Computer maker Lenovo has started pushing security patches to address three vulnerabilities impacting the UEFI firmware of more than 110 laptop models.

Application Security

Microsoft’s security patching machine hummed into overdrive Tuesday with the release of fixes for at least 97 documented software vulnerabilities, including a zero-day that’s...