Researchers: Evidence St. Jude report might not be accurate

A prominent medical-device security expert tried to reproduce a purported hack of St. Jude Medical pacemakers and came to what a university press release called “strikingly different conclusions.”

University of Michigan associate professor Kevin Fu, along with the Archimedes Center for Medical Device Security that he heads, tried to recreate a “crash attack” listed in a controversial report released last week. What they found was evidence that the report is in error.

{mosads}The crash attack was one of two attacks in a report released by Muddy Waters Investments with research done by a team at MedSec. The report created a small uproar in the security community because, rather than contact the manufacturer with the security vulnerability it had discovered, MedSec went to Muddy Waters Investments, who shorted the stock before releasing the vulnerability publicly. 

The second attack in the report, a “battery drain,” was already criticized by St. Jude Medical for being deceptive. To successfully drain a battery, the device company said, the attack could require a patient to stay within a small radius for more than a day. 

The Archimedes Center has now cast doubts on the crash attack, too. They found that the error messages reported by MedSec and Muddy Waters as indicators that the device had been successfully attacked were the same messages given when the pacemaker was not properly plugged in. 

“In layman’s terms, it’s like claiming that hackers took over your computer, but then later discovering that you simply forgot to plug in your keyboard,” said Fu in the University of Michigan press release. 

This does not necessarily mean the report was false. But the Muddy Waters report does not describe an exact recipe to recreate its attack. Short of having a reproducible method to attack the pacemakers, the fact that the MedSec attacks appear so similar to a device simply not plugged in suggests an alternate explanation for the supposed hack. 

“We’re not saying the report is false. We’re saying it’s inconclusive because the evidence does not support their conclusions. We were able to generate the reported conditions without there being a security issue,” said Fu in the press release. 


The Hill has removed its comment section, as there are many other forums for readers to participate in the conversation. We invite you to join the discussion on Facebook and Twitter.

See all Hill.TV See all Video

Most Popular

Load more


See all Video