Muddy Waters Is Short St. Jude Medical, Inc. (STJ)
Muddy Waters Capital is short Short St. Jude Medical, Inc. (NYSE:STJ).1 There is a strong possibility that close to half of STJ’s revenue is about to disappear for approximately two years. STJ’s pacemakers, ICDs, and CRTs might – and in our view, should – be recalled and remediated. (These devices collectively were 46% of STJ’s 2015 revenue.) Based on conversations with industry experts, we estimate remediation would take at least two years. Even lacking a recall, the product safety issues we present in this report offer unnecessary health risks and should receive serious notice among hospitals, physicians and cardiac patients.
We have seen demonstrations of two types of cyber attacks against STJ implantable cardiac devices (“Cardiac Devices”): a “crash” attack that causes Cardiac Devices to malfunction – including by apparently pacing at a potentially dangerous rate; and, a battery drain attack that could be particularly harmful to device dependent users.2 Despite having no background in cybersecurity, Muddy Waters has been able to replicate in-house key exploits that help to enable these attacks.
We find STJ Cardiac Devices’ vulnerabilities orders of magnitude more worrying than the medical device hacks that have been publicly discussed in the past. These attacks take less skill, can be directed randomly at any STJ Cardiac Device within a roughly 50 foot radius, theoretically can be executed on a very large scale, and most gallingly, are made possible by the hundreds of thousands of substandard home monitoring devices STJ has distributed.3 The STJ ecosystem, which consists of Cardiac Devices, STJ’s network, physician office programmers, and home monitoring devices, has significant vulnerabilities. These vulnerabilities highly likely could be exploited for numerous other types of attacks.
Key vulnerabilities can apparently be exploited by low level hackers. Incredibly, STJ has literally distributed hundreds of thousands of “keys to the castle” in the form of home monitoring units (called “Merlin@home”) that in our opinion, greatly open up the STJ ecosystem to attacks. These units are readily available on Ebay, usually for no more than $35. Merlin@homes generally lack even the most basic forms of security, and as this report shows, can be exploited to cause implanted devices to malfunction and harm users. We believe that courts will hold STJ’s lack of security in its Cardiac Device ecosystem is grossly negligent, unless STJ settles the litigation we see as inevitable.
The vulnerabilities result from an apparent lack of device security; and, the communication protocols for the Cardiac Device ecosystem – which we believe lacks basic protections such as encryption and authentication – are in fact compromised. As a result, an attacker can impersonate a Merlin@Home unit, and communicate with the Cardiac Devices – and likely even STJ’s internal network. While STJ might be able to patch one particular type of attack, the mass distribution of access points to the inner workings of the ecosystem via the home monitoring devices requires in our opinion, a lengthy system rework.
Dr. Hemal Nayak, a cardio electrophysiologist at the University of Chicago, is recommending his patients unplug their Merlin@home units; and, he is not going to implant STJ devices until the problems discussed in this report are remediated. (His statement is in the Appendix.) Dr. Nayak is the medical advisor to MedSec Holdings Ltd. (“MedSec”), which is the cybersecurity research firm that identified the vulnerabilities in STJ’s ecosystem.4 (Dr. Nayak is also a member of its board.)
MedSec is a cybersecurity research firm focused on the healthcare industry. It contacted Muddy Waters after largely completing an assessment of major manufacturers’ pacemakers and implantable cardioverter defibrillators (“ICDs”).
The lack of security in the STJ pacemaker and ICD infrastructure stunned MedSec. STJ’s apparent lack of device security is egregious, and in our view, likely a product of years of neglect. Moreover, STJ’s devices were even the subject of a U.S. Department of Homeland Security investigation into cybersecurity flaws in 2014, yet these gaping holes seem to persist.6 As a result, neither MedSec nor Muddy Waters was confident that STJ would put patients before profits if it were approached behind closed doors. Muddy Waters and MedSec agreed that users’ interests are best served by being made aware of these serious issues. While standard practice in the cybersecurity industry is to notify companies of vulnerabilities before discussing them publicly, MedSec licensed its research to Muddy Waters so that we could bring these issues to light (without revealing detailed vulnerability information). Muddy Waters has engaged MedSec as consultants in addition to licensing its research on STJ. MedSec is receiving compensation related to investment profits from the funds Muddy Waters manages.
MedSec has given Muddy Waters multiple demonstrations evidencing how hollow STJ’s device security is. To illustrate the severity of these vulnerabilities, MedSec demonstrated two types of attacks that could do severe harm to devices and users, and theoretically could be deployed on a large scale.
In addition to making an investment case, the purpose of this report is to inform device users and their physicians of these risks. MedSec and we believe that users have a right to know that there are serious security problems with their implanted Cardiac Devices, and the related devices. However, we are withholding and redacting technical information that could give potential attackers a roadmap.
We are unaware of any imminent threat to patient safety. However, we believe it is prudent from a security standpoint for STJ to immediately disable the RF capability of patients’ implanted devices. Regardless, Cardiac Device users should speak with their physicians about the risks. Muddy Waters is providing the United States Food and Drug Administration and Department of Homeland Security with a version of this report, and expects to facilitate dialogue between the agencies and MedSec.
As we detail in this report, Muddy Waters believes there is a strong possibility that STJ will need to recall its pacemakers, ICDs, and CRTs while it hardens security of the device ecosystem. This recall would likely entail a moratorium on sales of these devices, and we estimate this moratorium would be effective for a remediation period of at least two years.
The devices MedSec studied, and that formed the basis for these conclusions included pacemakers and ICDs; but, did not include CRTs. Because the CRTs are compatible with the compromised Merlin@home devices, this report assumes that they have similar vulnerabilities, and should also be recalled and remediated. (Were the CRTs not to have the expected or similar vulnerabilities, then the products would not need to be recalled.)
The Merlin@home devices were obtained second hand – often from online vendors. The programmers were obtained via a third party partnership with a licensed physician. The observations regarding device security in this report are derived from the substantial majority of devices studied, and it is possible that newer versions of these devices have some security enhancements that could eliminate some seemingly minor vulnerabilities in those particular devices.
However, even if new generations of devices have some enhancements, we still view the entire ecosystem as greatly compromised. There are likely hundreds of thousands of Merlin@home devices with easily exploitable vulnerabilities in the world, and vulnerable devices are easily purchased online for no more than $35. This train has already left the station.
STJ’s Compromised Cardiac Device Ecosystem
For our purposes, the Cardiac Device ecosystem consists of four components: the implantable device, the Merlin programmer, the STJ network, and the Merlin@home.
Any programmer or Merlin@home device can generally communicate with any Cardiac Device because there is no strong authentication built into the protocol. Attackers who can reverse engineer the communication protocol can access and impersonate parts of the ecosystem, including the Cardiac Devices.
Usually, devices part of an ecosystem such as this one would have defenses including strong authentication, encrypted software and code, anti-debugging tools, and anti-tampering mechanisms. A manufacturer might also might require wand activation before allowing RF communication (meaning the home device would have to be within inches of the Cardiac Device). STJ’s major competitors have used the aforementioned techniques (among others) to protect their protocols. The Merlin@homes studied generally had none of these defenses. In Security Well Below Industry Standards infra, we present a table comparing STJ’s lack of security to the major competitors studied.
Hundreds of Thousands of Keys to the Castle
Perhaps most shocking about STJ’s lack of security is that it has distributed hundreds of thousands of devices that are apparently so easily analyzed for vulnerabilities. There are numerous Merlin@home units for sale on Ebay – usually for no more than $35. The below screenshot shows the ready availability of the Merlin@home devices on Ebay.
When a patient receives a Cardiac Device implant, it is usually bundled with a Merlin@Home monitor. Previous generations of these devices were shown to be vulnerable to hacking within very close proximity.10 However, these devices had wands that needed to be within inches of the Cardiac Device in order to communicate. Merlin@home devices and implants now have additional RF capabilities, with a communications range of approximately 50 feet. They now pose a far more significant risk to user safety than before. The Merlin@home devices MedSec tested generally only required approximately 10 minutes to get access to the root directory.
“Getting root” on the Merlin@home devices exposes sensitive STJ network credentials. We believe the ease of getting root shows how poor the device security is. MedSec identified three methods to get root on the @home devices.
There are numerous ways in which the Merlin@home devices violate security standards (and defy logic):
- No apparent tamper-proofing or hardware identity protection. Chip models are clearly displayed, aiding the research process for an attacker.
- Unprotected software. While patient data is encrypted, the Merlin@home device has entirely unencrypted software. Competing systems use some form of encryption to protect the proprietary applications. Extracting software from the @Home device can be done by identifying the chip, and reading the data off it. The Merlin@home’s Samsung flash memory has been publicly documented to be vulnerable.
- Lack of a layered defense. In MedSec’s opinion, the use of off-the-shelf components and the lack of anti-debugging mechanisms made the Merlin@home device significantly easier to reverse engineer and locate numerous vulnerabilities. The manufacturer left many developmental items on the devices that should not be present, such scripts that allow debugging and development mode to be turned on. All of the competitors incorporated additional security measures. Some manufacturers required short range authentication (via a wand).
- Easy availability of device firmware. MedSec was also able to obtain the @home device’s firmware in three ways:
- Decapitating the Samsung memory chip,
- Getting root on the @home device and simply copying the files to the USB port,
MedSec believes a software update was likely pushed to some of the Merlin@home devices that made them appear more secure; however, in MedSec’s opinion, this update represented a very slight change in security. This might have been STJ’s response to the 2014 issues. Merlin@home units manufactured in 2016 appear to have the same type of vulnerabilities.
See the full PDF below.