Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Muddy Waters Shows More Attacks on St. Jude Cardiac Devices

Investment research firm Muddy Waters and security company MedSec have published four new videos allegedly demonstrating potentially lethal attacks against implanted cardiac devices from St. Jude Medical.

Investment research firm Muddy Waters and security company MedSec have published four new videos allegedly demonstrating potentially lethal attacks against implanted cardiac devices from St. Jude Medical.

After being sued by St. Jude Medical over its controversial disclosure of vulnerabilities, Muddy Waters on Wednesday launched a new website in an effort to show that the medical device manufacturer puts “profits over patients.”

“See how poor St. Jude’s device cyber security really is – including shocking (literally) new revelations about hacks that St. Jude says aren’t possible. Is St. Jude management too focused on trying to sell to Abbott to know they’re giving some completely wrong assurances?,” reads a message on the new website.

The site features several videos that appear to show how attackers could broadcast potentially lethal commands to implantable devices. The attacks include delivering shocks to the patient, causing the cardiac device to vibrate, and disabling its tachycardia therapy feature. Muddy Waters claims to have been in contact with several whistleblowers and cardiologists “who believe St. Jude has a history of ignoring problems that could have a significant impact on patients’ health.”

In response to the new website, St. Jude has once again refuted the claims, saying that it has been proactively working to identify and address potential cybersecurity vulnerabilities. As an example, the vendor said it issued seven security-related updates to its Merlin@home devices – one of the products targeted by MedSec research – over the past three years.

St. Jude also announced the formation of a Cyber Security Medical Advisory Board whose goal is to “help ensure that St. Jude Medical’s cyber security protections continue to be innovative without jeopardizing patient care.”

“Muddy Waters and MedSec have once again made public unverified videos that purport to raise safety issues about the cybersecurity of St. Jude Medical devices. This behavior continues to circumvent all forms of responsible disclosure related to cybersecurity and patient safety and continues to demonstrate total disregard for patients, physicians and the regulatory agencies who govern this industry,” St. Jude said in a statement sent to SecurityWeek.

“We take this matter very seriously and will once again work to quickly evaluate this new information,” the company added. “St. Jude Medical stands behind the security and safety of our devices.”

Advertisement. Scroll to continue reading.

Muddy Waters continues to have a short position in St. Jude and the company will benefit financially if the manufacturer’s shares fall. The value of St. Jude stock soared in late April when Abbott Laboratories announced its intention to acquire the firm for $25 billion. Muddy Waters’ controversial disclosure has had a slight negative impact on St. Jude stock, but its value remains at high levels compared to the period before the Abbott acquisition announcement.

Muddy Waters and MedSec have only disclosed limited information about the vulnerabilities they allegedly found in St. Jude devices. However, independent researchers found some flaws in the report, stating that MedSec exploits had not actually crashed cardiac devices as the company claimed, which could indicate that the security firm’s employees might not know exactly how these medical devices are supposed to work.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...