Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

St. Jude Refutes Medical Device Vulnerability Claims

Medical device manufacturer St. Jude Medical (STJ) has denied that its products are plagued by serious vulnerabilities following a controversial disclosure by MedSec and Muddy Waters that forced the vendor to temporarily suspend trading.

Medical device manufacturer St. Jude Medical (STJ) has denied that its products are plagued by serious vulnerabilities following a controversial disclosure by MedSec and Muddy Waters that forced the vendor to temporarily suspend trading.

MedSec, a cybersecurity startup that specializes in medical devices, spent the past 18 months analyzing the products of four major vendors. The company’s investigation revealed that St. Jude’s products, including implantable cardiac devices and [email protected] transmitters, are the least secure.

According to a report published on Thursday by MedSec and Muddy Waters, St. Jude’s products lack proper encryption and authentication. While the report contains only limited technical details, MedSec says it has developed proof-of-concept exploits that could be used to cause cardiac devices to malfunction or drain their battery at a very fast rate.

Instead of reporting its findings to St. Jude through the company’s responsible disclosure program, MedSec contacted Muddy Waters, which used the information to short St. Jude stock.

MedSec has admitted that the decision to bring its findings to Muddy Waters is beneficial for its business, but claims that the main goal is to warn patients about the risks. The security firm’s CEO said she was concerned that St. Jude would attempt to sweep the problem under the rug if contacted directly.

In a statement published on its website on Friday, St. Jude said it examined the allegation made by Muddy Waters and MedSec and determined that the report is “false and misleading.”

The medical device maker says it works with third-party experts, researchers, regulators and government agencies to ensure that proper security mechanisms are integrated into its products.

“These experts assist in designing security controls from the early stages of product design through final release and ongoing product enhancements, including software updates and security patches for our products. We also conduct regular risk assessments based on FDA guidance and perform penetration tests using internal and external experts,” St. Jude stated.

The company also pointed out that the observations in the report only applied to older versions of [email protected] units and that security updates are automatically sent to these products when they become available. It’s worth noting that MedSec conducted its analysis on second-hand [email protected] devices.

St. Jude also refuted claims that hackers could drain an implanted device’s battery from a distance of 50 feet. According to the vendor, cardiac devices have a wireless communications range of only 7 feet once they are implanted into a patient.

“This brings into question the entire testing methodology that has been used as the basis for the Muddy Waters Capital and MedSec report. In addition, in the described scenario it would require hundreds of hours of continuous and sustained ‘pings’ within this distance,” St. Jude said. “To put it plainly, a patient would need to remain immobile for days on end and the hacker would need to be within seven feet of the patient. In the unlikely instance that was to occur, the implanted devices are designed to provide a vibratory patient alert if the battery dips below a certain threshold to protect and notify patients.”

The medical device manufacturer believes the report is also inconsistent when describing how hackers could crash implanted devices. The company claims the researchers lack fundamental understanding of medical device technology and that the screenshots included in the report don’t actually show a crashed system.

St. Jude shares plunged on Thursday and the company even entered a trading halt on Friday afternoon. Trading was resumed later on Friday after St. Jude published a statement refuting Muddy Waters’ claims.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Computer maker Lenovo has started pushing security patches to address three vulnerabilities impacting the UEFI firmware of more than 110 laptop models.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Application Security

Microsoft’s security patching machine hummed into overdrive Tuesday with the release of fixes for at least 97 documented software vulnerabilities, including a zero-day that’s...