Software Integrity Blog


Researchers question Muddy Water’s security report on St. Jude Medical

New research suggests that parts of a report from a capital investment firm alleging vulnerabilities in St Jude Medical devices were inaccurate.

Last week, Muddy Waters Capital founder Carson Brock said in a statement, “We find STJ Cardiac Devices’ vulnerabilities orders of magnitude more worrying than the medical device hacks that have been publicly discussed in the past.” He repeated those claims to Bloomberg, saying that tens of thousands of Americans are living with ticking-time bombs.

However, attempts to recreate the original research originally done by a third-party testing lab, MedSec, on behalf of Muddy Waters, has proved “inconclusive.”

In a blog post they wrote, “The U-M team is composed of several leading medical device security researchers and a cardiologist from the U-M Health System’s Frankel Cardiovascular Center. “Hyperbolic” and “sloppy” are words they use to describe the unorthodox report, which was released last week by short-selling investment research firm Muddy Waters Capital and medical device security firm MedSec, Ltd.”

For example the researchers cite page 17 of the Muddy Waters report, where a screenshot displays error messages as proof of a security breach.

“But really the pacemaker is acting correctly,” said Dr. Kevin Fu, associate professor of computer science and engineering at U-M and director of the Archimedes Center for Medical Device Security. “To the armchair engineer it may look startling, but to a clinician it just means you didn’t plug it in. In layman’s terms, it’s like claiming that hackers took over your computer, but then later discovering that you simply forgot to plug in your keyboard.”

Fu is also co-founder of medical device security startup Virta Labs.

The University of Michigan team stressed that while they found fault with the security research as presented in the report, there may be valid issues with any medical device.

“While medical device manufacturers must improve the security of their products, claiming the sky is falling is counterproductive,” Fu concluded. “Healthcare cybersecurity is about safety and risk management and patients who are prescribed a medical device are far safer with the device than without it.”


More by this author