Muddy Waters Device Hacking Claims Questioned by Researchers

Last week, Carson Block – founder of short-selling firm Muddy Waters – released a report saying St. Jude Medical’s [email protected] device for monitoring pacemakers contained critical security flaws that could be remotely exploited. Those exploits could be used to disrupt the function of the devices and cause them to fail.

The research for the report was conducted by security firm MedSec. MedSec had been testing a range of devices from multiple manufacturers as part of an 18-month study of device security. MedSec chose not to present the findings to St. Jude, instead the research was offered to Muddy Waters. The two companies entered into a partnership with MedSec being paid a consultancy fee. MedSec will also benefit financially from any shorting of St. Jude Stock. Block was able to short St. Jude’s stock, with the value of shares falling by 5% last Thursday following the publication of the report.

However, leading medical device security researchers from the University of Michigan have conducted their own experiments to test St. Jude devices for security vulnerabilities. Their research does not back up the claims made in the Muddy Waters report. According to the researchers, the experiments resulted in “strikingly different conclusions” being drawn.

The researchers followed the same conditions that were outlined in the Muddy Waters report. While the experiments resulted in the same error messages being generated, the researchers did not believe they were indicative of a successful crash attack. The error messages produced indicated the device was not plugged in, but this did not mean that the device would cease to function.

Kevin Fu, associate professor of computer science and engineering at the University of Michigan and director of the Archimedes Center for Medical Device Security, issued a statement saying “We’re not saying the report is false; we’re saying it’s inconclusive because the evidence does not support their conclusions.”

In response to the UM study, Muddy Waters issued a statement saying “We deliberately did not publish detailed information on the vulnerabilities, exploits, or attacks on the devices in order to avoid giving the playbook to potential attackers.”

St. Jude Medical denied the claims that their devices contained unaddressed security flaws and called the Muddy Waters report “false and misleading”. St. Jude has since issued a press release saying the allegations in the report “are irresponsible, misleading, and unnecessarily frightening patients.”

Block had explained that even individuals who lacked technical expertise would be able to exploit the vulnerabilities. St. Jude Medical responded by saying “Further demonstrating their fundamental lack of understanding of St. Jude Medical’s medical device technology, Muddy Waters Capital and MedSec presented a video yesterday that actually demonstrated the Radio Frequency (RF) Telemetry Lockout security feature of our pacemakers – not a “crash” as they claimed.” The press release goes on to explain that “The video also confirms that the device’s clinical functions are operating as expected under these conditions.”

According to St. Jude Medical, in the event of unexpected conditions, such as those created by MedSec/Muddy Waters, the devices go into safe mode. The devices continue to function, they just revert to “preprogrammed pacing and defibrillation functions.”

Mark Carlson, M.D., VP and CMO at St. Jude Medical, sought to restore calm and reassure scared users of the devices, saying “Our devices are safe and we have taken – and continue to take – appropriate steps to address the dynamic challenges of cyber security.” He also confirmed that safeguards are put in place to prevent device crash attacks.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.