In response to a lawsuit filed over claims of security vulnerabilities in St. Jude Medical cardiac devices, investment firm Muddy Waters Capital filed reports from its own cybersecurity experts maintaining that the devices pose the threat of potentially life-threatening cyberattacks.
In federal court in Minnesota, Muddy Waters filed a 53-page report from cybersecurity firm Bishop Fox, which it said backed its claims through research by well-known specialists in cryptography, computer hardware hacking, forensics and wireless communications, Reuters reports. That’s in addition to evidence submitted from security company MedSec Holdings, which also is named in the lawsuit.
The U.S. Food and Drug Administration, which is investigating the claims, made no comment about the filing, but said patients should continue using the devices. A St. Jude spokeswoman said the company would respond "through appropriate legal channels."
St. Jude filed the lawsuit on Sept. 7 against Muddy Waters and MedSec, accusing them of spreading false information in order to manipulate the St. Jude stock price. However, the device maker also recently announced the creation of a medical advisory board to focus on cybersecurity issues.
The Bishop Fox report states that wireless communications with the cardiac devices are vulnerable to hacking that can disable them or deliver shocks to patients. It said it had conducted successful attacks from 10 feet away, but the range might be as far as 100 feet with specialized equipment.
"Muddy Waters' and MedSec's statements regarding security issues in the St. Jude Medical implant ecosystem were, by and large, accurate," Bishop Fox Partner Carl Livitt states in the report.
Security researchers with the University of Michigan, however, previously questioned Muddy Waters’ claims.