St. Jude Medical heart devices come under attack in security lawsuit

screen-shot-2016-10-25-at-10-01-31.jpgScreenshot via Profits over Patients

St. Jude Medical has once again come under fire relating to the security of the firm’s medical devices.

During a hearing relating to an ongoing dispute between the medical device maker, MedSec and Muddy Waters, a security company has alleged that security vulnerabilities in the firm’s implanted heart devices also place patients at risk.

Back in August, MedSec and investment research body Muddy Waters released a security vulnerability report which claims that St. Jude Medical’s pacemakers and defibrillators were vulnerable to cyberattacks due to inherent security problems. The report claims that successful attacks could result in battery drain or the manipulation of pacemaker beat rates, which in turn could put patient lives in jeopardy.

The claims resulted in the medical device maker’s share price plummeting. In return, St. Jude Medical decided to “set the record straight.”

In September, St. Jude Medical filed a lawsuit against MedSec and Muddy Waters, alleging that the research was not published for the sake of public disclosure and the common good but rather for profit.

St. Jude Medical says that the report, which used “false and misleading tactics” for scaremongering purposes, was intentionally designed for the sake of a short-selling scheme.

These schemes involve investors which sell stock if they believe the value is soon to drop — in turn, allowing them to buy shares back at a lower price and make money.

As the report entered the public forum, Muddy Waters shorted the stock, estimating that St. Jude’s value would be affected for “at least” two years. In the meantime, MedSec was hired as a consultant on a fee basis and investment cut.

St. Jude has rejected the report’s claims in the same manner that University of Michigan researchers say the report’s conditions can be replicated without any apparent security problems coming to light.

However, the medical device maker is now facing a new round of allegations. As part of the lawsuit, security experts hired by MedSec and Muddy Waters say that St. Jude’s heart implant devices are also vulnerable to cyberattack.

As reported by ThreatPost, independent security firm Bishop Fox provided a testimony on the safety of St. Jude Medical devices in a federal court in Minnesota.

Within the testimony (.PDF), Bishop Fox said the St. Jude Medical implantable cardiac device ecosystem “does not meet the security requirements of a system responsible for safeguarding life-sustaining equipment implanted in patients.”

In particular, the company says the wireless protocol used by the devices to communicate have serious security vulnerabilities which permit attackers to take control of the devices and deliver shocks to patients at a range of up to 10 feet — and which could also be extended with off-the-shelf components.

“I found that Muddy Waters’ and MedSec’s statements regarding security issues in the St. Jude Medical implant ecosystem were, by and large, accurate,” security researcher Carl Livitt said within the testimony.

In a statement, St. Jude Medical said:

“Muddy Waters and MedSec have once again made public unverified videos that purport to raise safety issues about the cybersecurity of St. Jude Medical devices. This behavior continues to circumvent all forms of responsible disclosure related to cybersecurity and patient safety and continues to demonstrate total disregard for patients, physicians and the regulatory agencies who govern this industry.

Patients, physicians, and caregivers deserve better than the irresponsible release of information that is intended for financial gain and is unnecessarily frightening.”

This month, Muddy Waters launched a website, Profits over Patients, which will document the court case as it progresses. In addition, the domain hosts videos which reportedly shows researchers compromising St. Jude medical devices.

More security news