Our pacemakers are totally secure, says short-sold St Jude
Hackable medical device claims are 'false and misleading'
The manufacturer of pacemakers and defibrillators has slammed a report by security researchers, arguing it puts patients' lives at risk.
On Thursday security startup MedSec claimed that St Jude Medical pacemakers and defibrillators were easily hackable and that hackers could either run down the batteries in patent's implanted medical devises or cause them to crash completely. Rather than inform the company, MedSec did a deal with a Wall Street firm to short-sell St Jude stock and then go public with the news.
"While we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading," the company said. "St Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions."
The MedSec team claimed that the medical devices could be easily hacked, based on hardware the firm had bought on eBay and through code analysis. The CEO of Muddy Waters, the Wall Street firm it did a deal with to short St Jude stock, claimed that this could lead to a "nightmare scenario" of a "mass attack" against people with the hardware in their bodies.
Under the terms of the deal MedSec would get paid by Muddy Waters based on how far the stock fell in price. The security firm didn't inform St Jude about the flaws it claimed to have found before cashing in.
A day later – presumably after the short sellers had made their profit – St Jude has responded, pointing out that many of the claims made against their products can't be justified. The firm hasn't said if it is complaining to the US financial watchdog – the Securities and Exchange Commission – about the issue, but such a move seems likely.
MedSec's two key claims were that hackers could either wirelessly disrupt pacemaker functions or run the battery powering the life-saving devices from 50 feet away. This is false, the manufacturer claims.
"Once the device is implanted into a patient, wireless communication has an approximate 7-foot range. This brings into question the entire testing methodology that has been used as the basis for the Muddy Waters Capital and MedSec report," St Jude said in a statement.
"In the described scenario it would require hundreds of hours of continuous and sustained 'pings' within this distance. To put it plainly, a patient would need to remain immobile for days on end and the hacker would need to be within seven feet of the patient."
The implanted devices are monitored by a Merlin programmer or a Merlin@home hub that wirelessly receives signals from the medical hardware and forwards them to doctors. MedSec claimed a compromised terminal, or a nearby software-defined radio, could send malicious signals to a pacemaker to "crash" it or empty its battery.
But according to St Jude, it sounds as though the communication is one way from the pacemakers or defibrillators to the monitoring station, which means at most you can simply disrupt telemetry flowing from the implanted widget.
Responsible disclosure rules – that most of the security industry follows – would have meant contacting the manufacturer before going public. Instead the head of MedSec, who happens to be former head of risk management at Bloomberg, leaked the story to her former employer and reaped the benefits.
El Reg will be following up on this story but the damage is done – Wall Street has reaped its profits and expect more FUD stories in the future. After all, serious money is at stake. ®