An outside expert report evaluating the research performed by MedSec Holdings Ltd. is now available on www.ProfitsOverPatients.com. The report was prepared by Stach & Liu, LLC d/b/a Bishop Fox, a security consulting firm specializing in providing cybersecurity services to Fortune 500 companies, global financial institutions, high-tech startups, medical institutions, media companies and law offices. The report is appended to an answer filed this morning by Muddy Waters, MedSec, and the other defendants in a lawsuit brought by St. Jude Medical.
The Bishop Fox report refutes key claims in the lawsuit, demonstrating it is a frivolous attempt to suppress debate about the security weaknesses of St. Jude Medical’s devices. The report largely corroborates MedSec’s research and states a hacker could reconfigure a Merlin@Home “to act as a weapon that can be used to attack patients with implanted St. Jude Medical cardiac devices.” St. Jude should focus on improving cybersecurity, not perception.
The report says:
- With respect to overall device security, the security measures “do not meet the security requirements of a system responsible for safeguarding life-sustaining equipment implanted in patients.”
- The radio frequency protocol is “fundamentally compromised by flaws in its use of cryptography and by St. Jude Medical’s inclusion of a ‘backdoor’ that obviated entirely the need to perform cryptographic operations when communicating with a pacemaker or ICD.” The backdoor is a 3-byte universal key.
- St. Jude Medical’s statement that Merlin@homes cannot change therapeutic settings on cardiac devices is “demonstrably false.” In fact, Bishop Fox replicated attacks using the Merlin@home monitor to reprogram and issue commands to cardiac devices, including to deliver a T-wave shock to a patient (which induces cardiac arrest), stop providing therapy altogether, rapidly deplete implanted device batteries, and disable certain communication functionalities.
- Bishop Fox “observed that Merlin@home units can communicate with cardiac devices at a distance of approximately 11ft (Bishop Fox measured 10ft under controlled conditions) without requiring any interaction or even knowledge on the part of the patient. Calculations show that it would be possible to extend this range by adding commercially available antennae to the Merlin@home, which would facilitate communication with cardiac devices at a distance of approximately 45ft; further calculations showed that if carefully configured radio communication systems (‘Software Defined Radios’ or ‘SDRs’) were used instead of Merlin@home devices, the attacks could plausibly be carried out from a distance of approximately 100ft.”
A copy of the report, an exhibit to the defendants’ answer, is available from www.ProfitsOverPatients.com.
Article by Muddy Waters
Defendants Muddy Waters Consulting LLC,1 Muddy Waters Capital LLC, Carson C. Block (collectively, “Muddy Waters”), MedSec Holdings Ltd., MedSec LLC, Justine Bone (collectively, “MedSec”), and Dr. Hemal M. Nayak answer Plaintiff’s Complaint as follows:
Introduction And Overview Of Complaint And Answer
This case presents fundamental issues of First Amendment freedoms. By filing the Complaint, Plaintiff seeks to punish and prevent vital discussions about significant risks to the lives and health of ordinary Americans. The health warnings at issue in this case involve truthful communications about matters of the highest public interest and concern.
As the Complaint alleges, Muddy Waters largely manages hedge funds through a shortseller driven investment strategy. Complaint ¶ 5 [Dkt. 1]. More importantly, as this Answer discusses, Muddy Waters identifies and sells short securities of companies that are engaged in, among other things, unsafe business practices. Answer, infra ¶ 5. Muddy Waters’ research, which it provides for free, has helped regulators with at least nine investigations of public companies, resulting in four de-listings from national stock exchanges, recovery of tens of millions of dollars in fines from public companies, and more than $100 million in payment to investors. Id. In 2012, Muddy Waters received the Financial Times’ “Boldness in Business Award,” and in 2011, Bloomberg BusinessWeek named Defendant Block “One of the 50 Most Influential in Global Finance.” Id.
In August 2016, Muddy Waters tackled the issue of cybersecurity—to which it believes American companies have paid too little attention, despite routine reports of cyberwarfare and data security breaches. Answer, infra ¶ 44. Muddy Waters published the two reports at the heart of this lawsuit based on research conducted by Defendant MedSec, which revealed security vulnerabilities in certain implantable cardiac devices, home remote transmitters (called the “Merlin@home”), and physician programmers that Plaintiff manufactures. Complaint ¶¶ 45, 52. As a result of this research, Defendant Dr. Nayak, a University of Chicago cardiac electrophysiologist and MedSec board member, advised his patients to disable their Merlin@homes for their safety. Id. ¶ 49.
In response, Plaintiff filed this lawsuit, alleging Defendants conspired to defame it. Complaint ¶¶ 114-17. In fact, the reports conveyed and provided credible bases for Defendants’ opinions that certain of Plaintiff’s devices lack sufficient cybersecurity protections. After Plaintiff filed its lawsuit, security consulting firm Bishop Fox, which put together a team of outside, well-recognized cybersecurity experts, opined the devices Defendants tested have “serious security vulnerabilities.” Answer, infra ¶ 61. See Exhibit A ¶ 10 (copy of report).2 Bishop Fox concluded hackers can seize control of the Merlin@home devices and use them to change therapeutic settings on patients’ devices, a finding that directly contradicts Plaintiff’s allegations that “changes to therapeutic parameter settings on patients’ devices require use of the in-clinic programming device” and can be made “only by… the patient’s physician.” Complaint ¶ 42. Answer, infra ¶ 42. Bishop Fox also concluded the Merlin@homes can be manipulated to deliver a T-wave shock to a patient (a shock that induces cardiac arrest), stop providing any therapy at all, rapidly deplete implanted device batteries, and disable certain communication functionalities. Answer, infra ¶ 65.
See the full PDF below.
