Independent Cyber Security Experts Support Claim That St. Jude Heart Devices May Be Hacked
The findings were disclosed in a report attached to a legal brief
Short-selling firm Muddy Waters has filed a legal brief containing a report that it says includes findings confirming its claim that cardiac implants manufactured by St. Jude Medical are vulnerable to cyber attacks that could be life threatening.
Muddy Waters hired boutique cyber security firm to test the claim as it defends itself against a lawsuit filed by St. Jude. Bishop Fox disclosed its findings in a 53-page report attached to a legal brief filed on behalf of Muddy Waters.
St. Jude filed its suit on September 7 against Muddy Waters, cyber research firm MedSec Holdings, and certain individuals who are affiliated with those companies. The suit claims that the defendants intentionally disseminated false information about the cardiac implants in order to manipulate its stock price, which fell by five percent the day the claims were revealed.
The defendants stated in a filing that the lawsuit does not have merit and reiterated its claim that the heart devices have "significant security vulnerabilities."
Bishop Fox's report stated that it was able to validate Muddy Waters's claims.
"I found that Muddy Waters' and MedSec's statements regarding security issues in the St. Jude Medical implant ecosystem were, by and large, accurate," Bishop Fox Partner Carl Livit stated.
The report claimed that the wireless communications protocol that St. Jude uses in its cardiac devices is vulnerable to hackers, enabling them to convert the devices into "weapons" that could cause the devices to stop providing care to patients and instead could deliver shocks to them.
Although Bishop Fox tested the attacks from a distance of 10 feet away, it said that the distance could be extended to 45 feet with an antenna or even to 100 feet using a transmitter known as a software defined radio.