Last week, a controversial report claimed that pacemakers and other implantable heart devices made by the manufacturer St. Jude Medical have massive security flaws that leave them vulnerable to hacking. Now, medical device security expert Kevin Fu, an associate professor at University of Michigan, is questioning the accuracy of that report.
The material presented in the report does not prove that hackers can cause a St. Jude device to crash, Fu told IEEE Spectrum in an interview. “The onus is on the claimant,” Fu says. “We’re not saying the report is false, we’re saying the evidence is not strong.” Fu says a screenshot presented as evidence of the hack could have come from a benign situation that was misinterpreted.
The investment firm Muddy Waters issued the report based on an investigation by cybersecurity research company MedSec Holdings. The two firms had a financial incentive in releasing the report: Muddy Waters had “shorted” St. Jude stock (i.e., bet that it would decline in value), and MedSec had arranged to share any profits. St. Jude’s stock price has indeed taken a beating over the past week.
The report alleges that St. Jude’s cardiac devices can be caused to malfunction by hacking the at-home monitor patients use to send information to their doctors. It predicts that St. Jude will need to recall its devices, and estimates that class-action litigation could cost the company US. $6.4 billion. Here’s an excerpt from the report’s summary:
Key vulnerabilities can apparently be exploited by low level hackers. Incredibly, STJ has literally distributed hundreds of thousands of “keys to the castle” in the form of home monitoring units (called “Merlin@home”) that in our opinion, greatly open up the STJ ecosystem to attacks. These units are readily available on Ebay, usually for no more than $35. Merlin@homes generally lack even the most basic forms of security, and as this report shows, can be exploited to cause implanted devices to malfunction and harm users. We believe that courts will hold STJ’s lack of security in its Cardiac Device ecosystem is grossly negligent, unless STJ settles the litigation we see as inevitable.
It’s important to note that Fu has not yet tried to reproduce the hacks that MedSec claims to have pulled off: most notably, a “crash attack” causing an implanted device to beat at dangerously fast speed and another attack that allegedly drains a device’s battery. Fu says his team at the Archimedes Center for Medical Device Security is still investigating the claims.
However, he says he’s troubled by what he’s found so far. “I think these people are probably brilliant security experts. What we’re questioning is whether they’re able to correctly interpret clinical results,” Fu says. “It is possible to have vulnerabilities without having hazardous situations for patients.”
Fu’s critique focuses on a screenshot from a St. Jude programming machine that’s presented on page 17 of the report, which is described as an indication that the associated cardiac device is malfunctioning. Here’s the screenshot in question:
Fu’s team conducted an experiment by connecting a St. Jude programming machine to their FDA-validated cardiac simulator. Using this setup, the researchers could create various conditions within the programmer and study the signals it sent to the simulated cardiac device.
The researchers created the same screen and error messages, Fu says, while the simulated device continued to beat at the appropriate rhythm. “There was no change at all,” he says. The error messages on the screen are “benign alerts,” he says, that indicate that the device isn’t connected to cardiac tissue. “This is what you’d expect to see if it wasn’t connected to a patient.”
His team’s brief demo is below, and they also describe the experiment in a blog post.
Again, it’s worth noting Fu hasn’t proved anything conclusively. It’s possible that the same screenshot could also be created by the crash attack the MedSec team claims to have pulled off.
Muddy Waters responded to a request for comment with the following statement: “It’s no surprise the University of Michigan was inconclusive about our research given that we deliberately did not publish detailed information on the vulnerabilities, exploits or attacks on the devices in order to avoid giving the playbook to potential attackers. If anything, this proves that we were responsible with our disclosure.”
Fu says he can’t comment yet on the overall veracity of the report, or the likelihood of a massive recall of cardiac devices from St. Jude. He does note that such a move would be unprecedented, though. “There has never been a [medical device] recall due to a security problem,” he says.
Even if there is a security vulnerability in St. Jude’s technology, he says, regulators would have to determine that the vulnerability causes a clinical risk to patients. “Unfortunately, there’s very little clinical data in the report. And the one piece of clinical data we found appears to have been misinterpreted,” he says.