Trading in stock of medical device paused after hackers team with short seller

Share this…

St. Jude Medical declares claim of vulnerability “false and misleading.” Trading in the stock of medical device manufacturer St. Jude Medical was halted Friday afternoon after a dramatic drop in its value. That drop was triggered by news of alleged vulnerabilities in the company’s cardiac care devices. The vulnerability was disclosed not in a report by the company but by security researchers partnered with Muddy Waters Capital, an investment firm that had “shorted” St. Jude’s stock on the information in order to profit from a drop in the stock’s value.

The researchers at the security firm MedSec chose to take this route to disclosure, MedSec CEO Justine Bone said, to “ensure that St. Jude Medical responds appropriately and with urgency.” The partnership with a short seller is a fundamental departure from the established approach of responsible disclosure normally taken by researchers. But it also represents an approach that bypasses the sort of legal maneuverings and threats, suppression of information, and inaction that have been experienced by researchers who have discovered vulnerabilities in other products. Researchers who discovered a vulnerability in Volkswagen electronic engine locks, for example, were forced to withhold a paper for two years through a court injunction filed by the automaker in 2012.


Muddy Waters issued a report on Thursday claiming that it had demonstrated “two types of cyber attacks against STJ implantable cardiac devices: a ‘crash’ that causes cardiac devices to malfunction… and a battery drain attack that could be particularly harmful to device dependent users.” The report claimed that the vulnerabilities had been proven in “multiple demonstrations evidencing how hollow STJ’s device security is.”

In a blog post, Bone said that St. Jude “has stood out as lagging far behind” in addressing vulnerabilities in its products. She continues:

For years [St. Jude Medical] has continued to put patients at risk by profiting from the sale of devices and a device eco-system which has little to no built-in security. We believe St. Jude Medical has known about security problems in their products since at least 2013, but it is apparent from the lack of security protections or mechanisms in their product line that very little action has been taken. In order to help address patient safety, we have chosen to depart from standard cyber security operating procedures in order to bring this to the public’s attention and to ensure that St. Jude Medical responds appropriately and with urgency.

The partnership with Muddy Waters was to help the researchers “deliver this message,” Bone said.

Bone wrote that she believed that it was time “to re-think the way cyber security is managed.” She acknowledged that partnering with a short seller would draw criticism, “but we believe this is the only way to spur St. Jude Medical into action,” she explained. “Most importantly, we believe that both potential and existing patients have a right to know about their risks.”

After the report was released, St. Jude’s stock fell 10 percent on Thursday and an additional 2 percent today before trading was halted. In a statement published today, a St. Jude spokesperson said, “We have examined the allegations made by Capital and MedSec on August 25, 2016 regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading.”

The vulnerabilities applied to older versions of the “Merlin@home” devices that drive the cardiac implants that are not capable of being automatically patched, the spokesperson said. The company claims that newer versions of the devices have already been updated. Additionally, the spokesperson dismissed the battery drainage vulnerability as “misleading” because MedSec claimed it could be executed from 50 feet away.

“This is not possible since once the device is implanted in a patient, wireless communication has an approximate 7-foot range,” the spokesperson insisted, and the attack would also require “hundreds of hours of continuous and sustained pings” of the implant by an attacker. Furthermore, St. Jude claimed that the screen shots used to demonstrate the “crash” attack actually show the device working normally.