Short-seller Muddy Waters shot back at St. Jude Medical (NYSE:STJ) today in a continued dispute over alleged cybersecurity flaws in the company’s cardiac rhythm management devices, saying St. Jude’s response to its accusations was “deceptive” and holding its stance on the vulnerabilities.
St. Jude on Friday rebutted Muddy Waters’ original accusations of CRM device vulnerabilities, with the company’s top R&D executive calling them “absolutely untrue.”
Muddy Waters, the firm founded by well-known short-seller Carson Block, harshly criticized St. Jude, saying their response to the report “contained very little substance, and actually included admissions to several key points,” and pushing the accusations with the release of a video of a “crash attack” being performed in a cybersecurity test of one of St. Jude’s pacemakers.
Muddy Waters struck back at each point earlier refuted by St. Jude, dissecting the response with its own rebuttals. St. Jude had responded to the original accusations saying users of its Merlin@home devices would have to be within 7 feet of the device to be vulnerable, as opposed to a suggested 50 in the report.
The short-sellers aid that by admitting users would be vulnerable at 7 feet, St. Jude said that the company acknowledged “that the hundreds of thousands of active Merlin@home users who sleep near their Merlin@homes would obviously be vulnerable to a large-scale attack when connected to the devices for a continuous time period.”
Muddy Waters refuted St. Jude’s claims of solving vulnerabilities through regular software updates, saying that many of its exposed vulnerabilities “cannot be addressed with software updates alone” due to other issues, according to the report.
The group called most of St. Jude’s response “fluff” and said it engaged a firm to do a credibility analysis of St. Jude’s response. The firm hired accused St. Jude of being “deceptive about the cyber security of its cardiac devices and their knowledge of their existing limitations.”
“Their agenda is to manage the perception of the market in the short term from pessimism to optimism, erode the credibility of the MWC report and present confidence in the face of specific allegations while simultaneously failing (or choosing not) to insert inarguable facts to the contrary,” the group wrote in its report.
Last Thursday, Muddy Waters released a report on St. Jude’s Merlin@home devices, saying they “can be exploited to cause implanted devices to malfunction and harm users.
“We believe that courts will hold STJ’s lack of security in its Cardiac Device ecosystem is grossly negligent, unless STJ settles the litigation we see as inevitable,” Muddy Waters wrote in the report.
“The vulnerabilities result from an apparent lack of device security; and, the communication protocols for the Cardiac Device ecosystem – which we believe lacks basic protections such as encryption and authentication – are in fact compromised,” according to the firm’s 33-page report. “As a result, an attacker can impersonate a Merlin@home unit, and communicate with the Cardiac Devices – and likely even STJ’s internal network. While STJ might be able to patch one particular type of attack, the mass distribution of access points to the inner workings of the ecosystem via the home monitoring devices requires in our opinion, a lengthy system rework.”
St. Jude rebutted the claims on Friday, with chief technology officer Phil Ebeling saying “the allegations are absolutely untrue,” in an emailed statement. ”
There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin@home and on all our devices.”
The accusations stem from a cybersecurity firm, Miami-based MedSec Holdings, that approached Muddy Waters after investigating St. Jude and 3 of its competitors. MedSec’s compensation for the research, however, it tied to Block’s short on STJ shares. And cybersecurity experts say there’s no economic rationale for the type of mass attack hypothesized in the Muddy Waters report.
“The lack of a clear business model for making money from hacking medical devices suggests that it’s unlikely we will see the types of mass attacks,” famed “white hat” medical device hacker Billy Rios told Bloomberg.
St. Jude questioned the validity of the report and defending the safety and security of its devices.
“We have examined the allegations made by Muddy Waters Capital and MedSec on August 25, 2016, regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading. Our top priority is to reassure our patients, caregivers and physicians that our devices are secure and to ensure ongoing access to the proven clinical benefits of remote monitoring. St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions,” St. Jude wrote in a prepared statement.
Shares rose lightly today for St. Jude, up 0.3% to close at $78.25.