Medical device manufacturer St. Jude Medical (STJ) has denied that its products are plagued by serious vulnerabilities following a controversial disclosure by MedSec and Muddy Waters that forced the vendor to temporarily suspend trading.
MedSec, a cybersecurity startup that specializes in medical devices, spent the past 18 months analyzing the products of four major vendors. The company’s investigation revealed that St. Jude’s products, including implantable cardiac devices and Merlin@home transmitters, are the least secure.
According to a report published on Thursday by MedSec and Muddy Waters, St. Jude’s products lack proper encryption and authentication. While the report contains only limited technical details, MedSec says it has developed proof-of-concept exploits that could be used to cause cardiac devices to malfunction or drain their battery at a very fast rate.
Instead of reporting its findings to St. Jude through the company’s responsible disclosure program, MedSec contacted Muddy Waters, which used the information to short St. Jude stock.
MedSec has admitted that the decision to bring its findings to Muddy Waters is beneficial for its business, but claims that the main goal is to warn patients about the risks. The security firm’s CEO said she was concerned that St. Jude would attempt to sweep the problem under the rug if contacted directly.
In a statement published on its website on Friday, St. Jude said it examined the allegation made by Muddy Waters and MedSec and determined that the report is “false and misleading.”
The medical device maker says it works with third-party experts, researchers, regulators and government agencies to ensure that proper security mechanisms are integrated into its products.
“These experts assist in designing security controls from the early stages of product design through final release and ongoing product enhancements, including software updates and security patches for our products. We also conduct regular risk assessments based on FDA guidance and perform penetration tests using internal and external experts,” St. Jude stated.
The company also pointed out that the observations in the report only applied to older versions of Merlin@home units and that security updates are automatically sent to these products when they become available. It’s worth noting that MedSec conducted its analysis on second-hand Merlin@home devices.
St. Jude also refuted claims that hackers could drain an implanted device’s battery from a distance of 50 feet. According to the vendor, cardiac devices have a wireless communications range of only 7 feet once they are implanted into a patient.
“This brings into question the entire testing methodology that has been used as the basis for the Muddy Waters Capital and MedSec report. In addition, in the described scenario it would require hundreds of hours of continuous and sustained ‘pings’ within this distance,” St. Jude said. “To put it plainly, a patient would need to remain immobile for days on end and the hacker would need to be within seven feet of the patient. In the unlikely instance that was to occur, the implanted devices are designed to provide a vibratory patient alert if the battery dips below a certain threshold to protect and notify patients.”
The medical device manufacturer believes the report is also inconsistent when describing how hackers could crash implanted devices. The company claims the researchers lack fundamental understanding of medical device technology and that the screenshots included in the report don’t actually show a crashed system.
St. Jude shares plunged on Thursday and the company even entered a trading halt on Friday afternoon. Trading was resumed later on Friday after St. Jude published a statement refuting Muddy Waters’ claims.
