Short-selling firm Muddy Waters Capital LLC on Monday reinforced its scathing critique of alleged computer-hacking vulnerabilities in pacemakers and implantable defibrillators made by Minnesota-based St. Jude Medical.
Muddy Waters published a choppy internet video Monday afternoon purporting to demonstrate an actual cyberattack against a St. Jude pacemaker. The video and a related six-page report are intended to rebut claims by St. Jude on Friday that its cybersecurity controls are adequate.
“We invite STJ to explain what is going on with its pacemaker,” the Muddy Waters report said, citing the 15-minute publicly-shared video on Vimeo.com. STJ is St. Jude’s stock ticker symbol.
The low-resolution video, titled “STJ Pacemaker Crash Attack,” purports to show a person placing a functional St. Jude pacemaker and a control device onto one of the company’s Merlin machines, which are used to communicate with the implantable devices, and changing the pacemaker’s name. The St. Jude device is then plugged into the hacker’s laptop. When the pacemaker is reconnected to the Merlin machine, the network fails to find any trace of the device.
“Pretty clear we cannot communicate with the device,” says the video’s hacker. A spokesperson for Muddy Waters declined to identify the hacker in the video.
Muddy Waters said last week that it had taken out a short position on St. Jude stock — which means it stands to profit if St. Jude stock falls in value — at the same time that it revealed what it called major flaws in the device’s security. Muddy Waters said it did not approach St. Jude before going public with findings.
The flaws stemmed from, among other factors, using “off-the-shelf” computer chips in St. Jude devices instead of customized chips that are harder to crack. Muddy Waters also criticized the lack of encryption in some parts of St Jude’s online “ecosystem” of device communications.
The result, according the firm, is that communication tools used by doctors and patients to communicate with pacemakers and defibrillators could also be used by hackers to drain device batteries, cause malfunctions, and compromise St. Jude’s network in a way that would allow for a “large-scale attack” on multiple devices at once.
No actual cyberattack on an individual device has been documented outside of controlled experiments and demonstrations. Muddy Waters said it would be illegal to test its theory of a mass attack on St. Jude devices, but it stands behind it.
St. Jude said last week that the Muddy Waters report appeared to be looking only at older versions of devices that lacked recent software patches, and that the battery-kill attack could only be performed at a very short range over a long period of time, making it too impractical to be a serious threat.
The Food and Drug Administration has confirmed that it is investigating the allegations, but as of Friday afternoon the agency was not recommending patients or physicians make any changes to their devices.
Physicians have said in interviews with the Star Tribune that they don’t plan to make any adjustments to the devices unless published data confirm Muddy Waters’ allegations, or if the FDA issues a recommendation to make changes.
St. Jude Medical stock lost about 8 percent of its value when the allegations first came out Thursday morning. The stock regained some value later Thursday, Friday and today. St. Jude stock closed up 24 cents, or 0.3 percent, to $78.25 on Monday, and is now down about 4.4 percent since Muddy Waters made its initial claim.