Hired experts back claims St. Jude heart devices can be hacked

Reuters News
Posted: Oct 24, 2016 9:49 AM

By Jim Finkle

(Reuters) - Short-selling firm Muddy Waters said in a legal filing on Monday that outside cyber security experts it hired have validated its claims that St. Jude Medical Inc cardiac implants are vulnerable to potentially life-threatening cyber attacks.

Muddy Waters released a 53-page report from boutique cyber security firm Bishop Fox, the latest piece of evidence to emerge in an ongoing dispute over claims made in August by the short-selling firm and cyber research firm MedSec Holdings that St. Jude cardiac implants are vulnerable to hacking.

St. Paul, Minnesota-based St. Jude has strongly disputed those claims, which are under investigation by the U.S. Food and Drug Administration. The FDA has told patients to continue to use their devices as instructed and not change any St. Jude cardiac implant while it reviews the allegations.

The cardiac devices have been implanted in hundreds of thousands of patients, according to St. Jude.

One of the world's biggest maker of implantable cardiac devices, St. Jude filed a lawsuit against San Francisco-based Muddy Waters, Miami-based MedSec and individuals affiliated with those firms on Sept. 7.

St. Jude accused them of intentionally disseminating false information about its heart devices to manipulate its stock price, which fell 5 percent the day they went public with their claims.

The Bishop Fox report was submitted in federal court in Minnesota as evidence by Muddy Waters in its legal defense. Short sellers make bets that stock prices will fall, selling borrowed shares so they can buy them at a lower price and profit from the difference.

Representatives with St. Jude and the FDA said they had no immediate comment.

The defendants said that St. Jude's lawsuit is without merit, reiterating their prior claim that St. Jude's heart devices have "significant security vulnerabilities."

St. Jude in April agreed to sell itself for $25 billion to Abbott Laboratories.

Bishop Fox said it validated the claims with help from well-known specialists in cryptography, computer hardware hacking, forensics and wireless communications.

"Muddy Waters' and MedSec's statements regarding security issues in the St. Jude Medical implant ecosystem were, by and large, accurate," Bishop Fox Partner Carl Livitt said in the report.

The report said the wireless communications in St. Jude cardiac devices are vulnerable to hacking, making it possible for hackers to convert the company's Merlin@home patient monitoring devices into "weapons" that can cause cardiac implants to stop providing care and deliver shocks to patients.

Bishop Fox said it conducted successful test attacks from 10 feet (3 meters) away, but that the range might be extended to as far as 100 feet (30 meters) with an antenna and a specialized device known as a software defined radio.

The report said Bishop Fox confirmed that several different types of hacks were possible. In one instance, it said, a hacker could remotely turn off the therapeutic functions of an implantable cardioverter defibrillator (ICD), then send a T-wave shock to a patient's heart, causing ventricular fibrillation, would could lead to cardiac arrest.

Bishop Fox said its clients include Fortune 500 firms, global financial firms, medical institutions and law firms.

Shares in St. Jude were unchanged at $79.40 in midday trading.

(Reporting by Jim Finkle; Editing by Will Dunham)