Reuters logo
UPDATE 1-Study finds flaws in criticism of St. Jude cyber security
2016年8月31日 / 凌晨12点02分 / 1 年前

UPDATE 1-Study finds flaws in criticism of St. Jude cyber security

(Adds comment from Muddy Waters)
    By Ransdell Pierson
    Aug 30 (Reuters) - University of Michigan researchers on
Tuesday said their own experiments undermine recent allegations
of security flaws in St. Jude Medical Inc's pacemakers
and other implantable medical devices.
    Shares of St. Jude fell 5 percent on Thursday after
short-selling firm Muddy Waters and its business partner, cyber
security company MedSec Holdings Inc, alleged finding
significant security bugs in the company's Merlin@home device
for monitoring implanted heart devices. They said the flaws
could potentially enable others to remotely speed up the heart
devices or drain their power.  
    The university said its researchers came "to strikingly
different conclusions" after generating the conditions reported
by Muddy Waters. 
    The team consisted of several leading medical device
security researchers and a cardiologist from the university, it
said in a release.
   Muddy Waters founder Carson Block said he shorted St. Jude
shares after MedSec approached him three months ago with results
of research it had conducted into the company's medical device
    In an unusual deal, Block said he hired the cyber security
firm as a consultant and agreed to pay it a licensing fee for
the research and a percentage of any profits from the
    The University of Michigan's team reproduced error messages,
or signs of a problem, which Muddy Waters cited as evidence of a
successful "crash attack" into a home-monitored implantable
heart device. But the messages are the same set of errors that
display if the device is not properly plugged in, the university
    "We're not saying the (Muddy Waters) report is false; we're
saying it's inconclusive because the evidence does not support
their conclusions," said Kevin Fu, University of Michigan
associate professor of computer science and engineering and
director of the Archimedes Center for Medical Device Security.
    St. Jude has called the Muddy Waters report "false and
misleading," saying most of the observations applied to older
versions of its Merlin@home devices that had not been patched
with security upgrades.
    Muddy Waters issued a statement saying the firm was not
surprised that the result of the research was inconclusive.
    "We deliberately did not publish detailed information on the
vulnerabilities, exploits or attacks on the devices in order to
avoid giving the play book to potential attackers," the
statement said. "If anything, this proves that we were
responsible with our disclosure."

 (Reporting by Ransdell Pierson; Editing by Frances Kerry and
Andrew Hay)

0 : 0
  • narrow-browser-and-phone
  • medium-browser-and-portrait-tablet
  • landscape-tablet
  • medium-wide-browser
  • wide-browser-and-larger
  • medium-browser-and-landscape-tablet
  • medium-wide-browser-and-larger
  • above-phone
  • portrait-tablet-and-above
  • above-portrait-tablet
  • landscape-tablet-and-above
  • landscape-tablet-and-medium-wide-browser
  • portrait-tablet-and-below
  • landscape-tablet-and-below