Researchers question St. Jude cybersecurity report

Researchers with the University of Michigan are questioning the validity of a recent report that warns of cybersecurity vulnerabilities for St. Jude Medical cardiac devices.

The Aug. 25 report, published by investment firm Muddy Waters Capital, admonishes St. Jude for profiting off of devices with “little to no built-in security”; it relies on white hat hacking performed by security research firm MedSec.

But U-M researchers, in working to recreate error messages highlighted by Muddy Waters and MedSec, say their evidence doesn’t support the report’s conclusions. For instance, they note such messages cited in the report are the same as warnings a device user would receive if the tool was not plugged in.

“We were able to generate the reported conditions without there being a security issue,” Kevin Fu, a U-M associate professor of computer science and engineering and director of the Archimedes Center for Medical Device Security, says in the note. “[W]e believe the pacemaker is acting correctly. To the armchair engineer it may look startling, but to a clinician it just means you didn't plug it in. In layman's terms, it's like claiming that hackers took over your computer, but then later discovering that you simply forgot to plug in your keyboard.”

Fu, who is also co-founder of medical device security startup Virta Labs, adds that the report’s claims are akin to claiming the sky is falling, which he calls “counterproductive.” Virta plans to publish a white paper that dissects the report soon.

In a statement issued to Reuters, Muddy Waters says the U-M findings were not surprising, given that “detailed information on the vulnerabilities” was not published as a safety precaution.

“If anything, this proves that we were responsible with our disclosure,” Muddy Waters says.