Medical device-maker St. Jude faces new claims of security flaws

Medical device-maker St. Jude faces new claims of security flaws
© Getty Images

An investment firm and security company are stepping up their feud with St. Jude Medical, releasing a video alleging new security vulnerabilities in the device-makers products.

It's only the latest in the fight pitting investment firm Muddy Waters and security researchers MedSec against St. Jude Medical.

ADVERTISEMENT
In August, the pair released a report saying they had bet against the company and offering a description of two previously unreleased vulnerabilities in St. Jude’s popular brand of cardiac implants. On Wednesday, they released a video purportedly demonstrating four more security vulnerabilities.

The original claims made headlines because researchers traditionally disclose these types of vulnerabilities to manufacturers before making them public to give companies a chance to make repairs. Muddy Waters did not do that, increasing the odds its bet against St. Jude’s stock price would pay off.

Critics warn that releasing a report explaining how to hack a device without giving a company the chance to warn consumers or mend the products is an invitation for hackers to attack that device.

St. Jude subsequently filed a lawsuit against Muddy Waters and MedSec, claiming that the first vulnerabilities the investors announced were false.

The initial report was scant on details but contained a readout from a St. Jude device that purportedly crashed after a hack. But a well-respected research team from the University of Michigan claimed that the readout was likely the result of a test device that had not been properly plugged into heart-like tissue instead of a hack.

Now Muddy Waters and MedSec are firing back with new allegations.

The video — hosted on the site ProfitsOverPatients.com — looks more like an anti-St Jude advertisement than a traditional security report.

The video contains a montage of news coverage of medical device vulnerabilities and takes swipes at St. Jude over tense background music. It also takes aim at a claim from St. Jude in a court filing that it is impossible to send commands to the company's devices over radio waves.

A video demonstration of the new vulnerabilities purports to show otherwise, and comments by a former St. Jude employee claim flaws in the company's systems. 

In an emailed statement, St. Jude said it was looking into the alleged new security issues.  

“Muddy Waters and MedSec have once again made public unverified videos that purport to raise safety issues about the cybersecurity of St. Jude Medical devices. This behavior continues to circumvent all forms of responsible disclosure related to cybersecurity and patient safety and continues to demonstrate total disregard for patients, physicians and the regulatory agencies who govern this industry," the company wrote.

“We take this matter very seriously and will once again work to quickly evaluate this new information.” 

On Tuesday, St. Jude announced a new cybersecurity board to improve its digital protections moving forward.