The cyber security company MedSec and the investment research firm Muddy Waters have released a joint report accusing medical device manufacturer St. Jude Medical of ignoring serious security vulnerabilities in some of its most popular products. The report urges St. Jude Medical to issue a sweeping recall and undergo a complete overhaul of its products in regards to security.
MedSec analyzed products from four different manufacturers and found St. Jude Medical products to be the least secure by far. The analysis focused specifically on implanted cardiac devices like pacemakers and cardioverter defibrillators, as well as the software and networks used to operate these devices and transmit data between patient and doctor.
Studying second-hand devices obtained from a credible physician revealed that the software/hardware lacked industry-standard encryption and authentication protections. Those kinds of vulnerabilities expose these devices to attack by even the least sophisticated hackers. MedSec took the step of creating and testing attacks that could cause the devices to malfunction or run through battery power much faster than intended.
This kind of research is not unusual in the tech sector. In fact, St. Jude Medical has a dedicated email address where researchers can report suspected vulnerabilities and flaws. What is unusual in this case is that instead of contacting the manufacturer directly, MedSec reached out to the investors at Muddy Waters instead. The investment firm then licensed the security research and paid MedSec a portion of the investment profits that resulted.
The joint report estimates that if St. Jude Medical were to take the steps necessary to resolve the security issues discovered it could cut the company’s revenue in half for up to two years. The devices studied represent 46% of the manufacturer’s annual revenue.
Betting that the stock price of St. Jude Medical would plummet after the report was released, Muddy Waters chose to short-sell the stock. When the stock price did plummet 8% on Thursday, both the investment and security firms made a windfall. Executives from MedSec have acknowledged the monetary gain but said their motives were simply to raise awareness. The firm’s CEO has expressed concern that if normal channels were followed the device manufacturer would have covered the research up and continued to operate as usual.
The report contains limited technical details. This is common in cyber security research in order to avoid detailing effective attack strategies, but it has also caused some to question the veracity of MedSec’s claims. Officials from St. Jude Medical have aggressively refuted the research and pointed to in-house security testing on both devices and networks.