St Jude Medical Device Vulnerabilities Questioned

The St Jude Medical device vulnerabilities that were recently announced in a report from Carson Block firm Muddy Waters resulted in St. Jude Medical stock being shorted, as was intended. The report, which was published on August 25, 2016, was based on research conducted by cybersecurity company MedSec.

MedSec conducted an 18-month study into the cybersecurity of medical devices produced by a range of different companies. The St Jude Medical device vulnerabilities flaws were deemed to be particularly serious. Some St. Jude Medical cardiac devices such as the Merlin@Home range were discovered to lack even elementary security controls according to the Muddy Waters report.

It has been claimed that St Jude Medical device vulnerabilities could be remotely exploited by hackers who would be able to crash the devices, cause them to malfunction, or drain the batteries and cause the devices to fail. This could potentially cause the wearer of the device to be seriously harmed.

The Muddy Waters report states there are no anti-debugging mechanisms, that no encrypted software is used, and the devices lack hardware identity protection. An attacker could conduct an attack from a 50-foot radius, and in theory, attacks could be conducted on a “very large scale.” Furthermore, the vulnerabilities could be exploited by attackers with low skill levels.

St. Jude Medical has denied the allegations saying the report is “misleading and unnecessarily frightening patients.” Now independent researchers from the University of Michigan have questioned the validity of the Muddy Waters report.

University of Michigan Researchers Fail to Draw Same Conclusions as Muddy Waters/MedSec

While the researchers have not come out and said that the report is incorrect, they have said they drew very different conclusions from their experiments. The researchers followed the details published in the Muddy Waters report and were able to generate the same error screens. However, while Muddy Waters reported these screens were evidence that the devices had been caused to malfunction.

According to University of Michigan associate professor of computer science and engineering and director of the Archimedes Center for Medical Device Security, the report is “inconclusive because the evidence does not support their conclusions.”

He said “In layman’s terms, it’s like claiming that hackers took over your computer, but then later discovering that you simply forgot to plug in your keyboard.” The error screens are displayed, but they do not indicate that the device is not working.

Muddy Waters responded to the report issued by the UM researchers saying ““It’s is no surprise the University of Michigan was inconclusive about our research given that we deliberately didn’t publish detailed information on the vulnerabilities, exploits or attacks on the devices in order to avoid giving the playbook to potential hackers.”

University of Michigan researchers are continuing to investigate the claims in the Muddy Waters report. Further findings of the researchers tests on the alleged St Jude Medical device vulnerabilities are expected to be published soon.

St Jude Medical Device Vulnerabilities or Security Feature?

St. Jude Medical’s vice president and chief technology officer, Phil Ebeling, also pointed out that the claims that the devices were malfunctioning was incorrect. He said that a video showing “proof” of device malfunction was incorrect. “The video clearly shows a security feature, not a flaw. The pacemaker is actually functioning as designed. If attacked, our pacemakers place themselves into a “safe” mode to ensure the device continues to work, which further proves our commitment to safety and security,” he said.

If attacked and unexpected conditions are experienced, the device will keep on functioning in safe mode and will revert to pre-programmed pacing and defibriliation functions. He also pointed out that “some of our devices, by design, disable further RF communications for a period of time, which may appear to the untrained eye as having rendered the device disabled, although it continues to function.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of