Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

University Finds Flaws in Report on St. Jude Medical Device Security

Researchers from the University of Michigan have analyzed the MedSec report describing serious vulnerabilities in St. Jude Medical products and determined that the security firm may have reached inaccurate conclusions.

Researchers from the University of Michigan have analyzed the MedSec report describing serious vulnerabilities in St. Jude Medical products and determined that the security firm may have reached inaccurate conclusions.

MedSec, a company that specializes in medical device security, analyzed the products of four major vendors and determined that St. Jude devices are the most vulnerable. Researchers claimed to have found some serious issues, including flaws that can be exploited to cause implanted cardiac devices to malfunction or drain their battery at a very fast rate.

It’s not uncommon for security researchers to find vulnerabilities in medical devices. However, instead of reporting its findings to the vendor, MedSec teamed up with investment research firm Muddy Waters and they came up with a strategy that involved disclosing the existence of the flaws and shorting St. Jude shares.

St. Jude rushed to refute the allegations and reassured customers that it’s products are not as vulnerable as MedSec and Muddy Waters claim them to be. The MedSec report, which contains only limited technical details, has also been analyzed by University of Michigan (U-M) researchers, who found that MedSec’s proof-of-concept (PoC) exploit did not actually crash the implanted cardiac device.

According to the U-M team, which includes several medical device security researchers and a cardiologist, the error message shown in a screenshot included in the MedSec report indicates that the device is not properly plugged in, not necessarily that it’s no longer working.

“We’re not saying the report is false. We’re saying it’s inconclusive because the evidence does not support their conclusions. We were able to generate the reported conditions without there being a security issue,” said Kevin Fu, U-M associate professor of computer science and engineering, and director of the Archimedes Center for Medical Device Security.

“To the armchair engineer it may look startling, but to a clinician it just means you didn’t plug it in. In layman’s terms, it’s like claiming that hackers took over your computer, but then later discovering that you simply forgot to plug in your keyboard,” added Fu, who is also the co-founder of a medical device security startup.

University of Michigan researchers will continue to analyze the report published by Muddy Waters and MedSec. In the meantime, Muddy Waters stands by MedSec’s report and it has even published a video allegedly showing how a cardiac device can be crashed.

MedSec has admitted that its decision to team up with Muddy Waters has some business benefits and it’s aware that its practices will draw criticism, but the company believes this is the only way to “spur St. Jude Medical into action.”

Muddy Waters’ short-selling strategy has paid off as the value of St. Jude stock plunged following the disclosure, even to the point where the company was forced to enter a trading halt last Friday. St. Jude shares have now recovered some of last week’s drop.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Computer maker Lenovo has started pushing security patches to address three vulnerabilities impacting the UEFI firmware of more than 110 laptop models.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Application Security

Microsoft’s security patching machine hummed into overdrive Tuesday with the release of fixes for at least 97 documented software vulnerabilities, including a zero-day that’s...