Hired experts support claims St. Jude heart devices can be hacked

St. Jude Logo The ticker and trading information for St. Jude Medical is displayed where the stock is traded on the floor of the New York Stock Exchange (NYSE) in New York City, U.S., April 28, 2016. REUTERS/Brendan McDermid

By Jim Finkle

(Reuters) – Short-selling firm Muddy Waters said in a legal brief filed on Monday that outside cyber security experts it hired have validated its claim that St. Jude Medical Inc cardiac implants are vulnerable to potentially life-threatening cyber attacks.

Boutique cyber security firm Bishop Fox disclosed its findings in a 53-page report that was attached to a legal brief filed on Monday in U.S. district court in Minnesota on behalf of the short-sellers, who hired the firm to perform the work as they defend themselves in a lawsuit filed by St. Jude.

A representative for St. Jude was not immediately available for comment.

St. Jude filed the suit on Sept. 7 against Muddy Waters, cyber research firm MedSec Holdings and individuals affiliated with those companies. The suit accused the group of intentionally disseminating false information about St. Jude heart devices to manipulate its stock price, which fell 5 percent on the day they revealed their claims.

The defendants said in a filing released on Monday that the lawsuit is without merit, reiterating their claim that St. Jude Medical’s heart devices have “significant security vulnerabilities.”

The report from Bishop Fox said the firm was able to validate those claims.

“I found that Muddy Waters’ and MedSec’s statements regarding security issues in the St. Jude Medical implant ecosystem were, by and large, accurate,” Bishop Fox Partner Carl Livit said in an introduction to the report.

The report said that the wireless communications protocol used in St. Jude cardiac devices is vulnerable to hacking, making it possible for hackers to convert the company’s Merlin@home patient monitoring devices into “weapons” that can cause cardiac implants to stop providing care and deliver shocks to patients.

Bishop Fox tested the attacks from 10 feet (3 meters) away, but said that might be extended to 45 feet (13.7 meters) with an antenna, or 100 feet (30.5 meters) with a transmitting device known as a software defined radio.

(Reporting by Jim Finkle; Editing by Will Dunham)

Leave a Reply