Hired experts back claims St. Jude heart devices can be hacked

By Jim Finkle (Reuters) - Short-selling firm Muddy Waters said in a legal filing on Monday that outside experts it hired validated its claims that St. Jude Medical Inc cardiac implants are vulnerable to potentially life-threatening cyber attacks. U.S. regulators responded by reiterating previous advice that patients should keep using the devices, and a St. Jude spokeswoman said the company would respond "through appropriate legal channels." Muddy Waters released a 53-page report from boutique cyber security firm Bishop Fox as part of a legal filing in federal court in Minnesota in its defense against a suit brought by St. Jude. Bishop Fox said in the report it validated the claims with help from well-known specialists in cryptography, computer hardware hacking, forensics and wireless communications, and cyber research firm MedSec Holdings that St. Jude cardiac implants are susceptible to hacking. St. Paul, Minnesota-based St. Jude has strongly disputed those claims, which are under investigation by the U.S. Food and Drug Administration. One of the world's biggest makers of implantable cardiac devices, St. Jude filed a lawsuit against San Francisco-based Muddy Waters, Miami-based MedSec and individuals affiliated with those firms on Sept. 7. St. Jude accused them of intentionally disseminating false information about its heart devices to manipulate its stock price, which fell 5 percent the day they went public with their claims. The FDA said in a statement it had no comment on the litigation but that based on information obtained to date it urged patients to continue using devices as directed by their physicians. "The benefits of the devices far outweigh any potential cyber security vulnerabilities," the FDA said of St. Jude's cardiac implants, which the company said have been implanted in hundreds of thousands of patients. St. Jude spokeswoman Candace Steele Flippin said the company's lawyers were reviewing the documents from Muddy Waters and MedSec. "We continue to feel this lawsuit is the best course of action to make sure those looking to profit by trying to frighten patients and caregivers are held accountable for their actions," she said in an email. St. Jude in April agreed to sell itself for $25 billion to Abbott Laboratories. Short sellers like Muddy Waters make bets that stock prices will fall, selling borrowed shares so they can buy them at a lower price and profit from the difference. The defendants said that St. Jude's lawsuit is without merit, reiterating their prior claim that St. Jude's heart devices have "significant security vulnerabilities." "Muddy Waters' and MedSec's statements regarding security issues in the St. Jude Medical implant ecosystem were, by and large, accurate," Bishop Fox Partner Carl Livitt said in the report. The report said the wireless communications in St. Jude cardiac devices are vulnerable to hacking, making it possible for hackers to convert the company's Merlin@home patient monitoring devices into "weapons" that can cause cardiac implants to stop providing care and deliver shocks to patients. Bishop Fox said it conducted successful test attacks from 10 feet (3 meters) away, but that the range might be extended to as far as 100 feet (30 meters) with an antenna and a specialized device known as a software defined radio. The report said Bishop Fox confirmed that several different types of hacks were possible. In one instance, it said, a hacker could remotely turn off the therapeutic functions of an implantable cardioverter defibrillator (ICD), then send a T-wave shock to a patient's heart, causing ventricular fibrillation, would could lead to cardiac arrest. Bishop Fox said its clients include Fortune 500 firms, global financial firms, medical institutions and law firms. Shares in St. Jude were little changed in afternoon trading. (Reporting by Jim Finkle; Editing by Will Dunham)