Muddy Waters Is Short St. Jude Medical, Inc. (STJ)
Muddy Waters Capital is short Short St. Jude Medical, Inc. (NYSE:STJ).1 There is a strong possibility that close to half of STJ’s revenue is about to disappear for approximately two years. STJ’s pacemakers, ICDs, and CRTs might – and in our view, should – be recalled and remediated. (These devices collectively were 46% of STJ’s 2015 revenue.) Based on conversations with industry experts, we estimate remediation would take at least two years. Even lacking a recall, the product safety issues we present in this report offer unnecessary health risks and should receive serious notice among hospitals, physicians and cardiac patients.
We have seen demonstrations of two types of cyber attacks against STJ implantable cardiac devices (“Cardiac Devices”): a “crash” attack that causes Cardiac Devices to malfunction – including by apparently pacing at a potentially dangerous rate; and, a battery drain attack that could be particularly harmful to device dependent users.2 Despite having no background in cybersecurity, Muddy Waters has been able to replicate in-house key exploits that help to enable these attacks.
We find STJ Cardiac Devices’ vulnerabilities orders of magnitude more worrying than the medical device hacks that have been publicly discussed in the past. These attacks take less skill, can be directed randomly at any STJ Cardiac Device within a roughly 50 foot radius, theoretically can be executed on a very large scale, and most gallingly, are made possible by the hundreds of thousands of substandard home monitoring devices STJ has distributed.3 The STJ ecosystem, which consists of Cardiac Devices, STJ’s network, physician office programmers, and home monitoring devices, has significant vulnerabilities. These vulnerabilities highly likely could be exploited for numerous other types of attacks.
Key vulnerabilities can apparently be exploited by low level hackers. Incredibly, STJ has literally distributed hundreds of thousands of “keys to the castle” in the form of home monitoring units (called “[email protected]”) that in our opinion, greatly open up the STJ ecosystem to attacks. These units are readily available on Ebay, usually for no more than $35. [email protected] generally lack even the most basic forms of security, and as this report shows, can be exploited to cause implanted devices to malfunction and harm users. We believe that courts will hold STJ’s lack of security in its Cardiac Device ecosystem is grossly negligent, unless STJ settles the litigation we see as inevitable.
The vulnerabilities result from an apparent lack of device security; and, the communication protocols for the Cardiac Device ecosystem – which we believe lacks basic protections such as encryption and authentication – are in fact compromised. As a result, an attacker can impersonate a [email protected] unit, and communicate with the Cardiac Devices – and likely even STJ’s internal network. While STJ might be able to patch one particular type of attack, the mass distribution of access points to the inner workings of the ecosystem via the home monitoring devices requires in our opinion, a lengthy system rework.
Dr. Hemal Nayak, a cardio electrophysiologist at the University of Chicago, is recommending his patients unplug their [email protected] units; and, he is not going to implant STJ devices until the problems discussed in this report are remediated. (His statement is in the Appendix.) Dr. Nayak is the medical advisor to MedSec Holdings Ltd. (“MedSec”), which is the cybersecurity research firm that identified the vulnerabilities in STJ’s ecosystem.4 (Dr. Nayak is also a member of its board.)
MedSec is a cybersecurity research firm focused on the healthcare industry. It contacted Muddy Waters after largely completing an assessment of major manufacturers’ pacemakers and implantable cardioverter defibrillators (“ICDs”).
The lack of security in the STJ pacemaker and ICD infrastructure stunned MedSec. STJ’s apparent lack of device security is egregious, and in our view, likely a product of years of neglect. Moreover, STJ’s devices were even the subject of a U.S. Department of Homeland Security investigation into cybersecurity flaws in 2014, yet these gaping holes seem to persist.6 As a result, neither MedSec nor Muddy Waters was confident that STJ would put patients before profits if it were approached behind closed doors. Muddy Waters and MedSec agreed that users’ interests are best served by being made aware of these serious issues. While standard practice in the cybersecurity industry is to notify companies of vulnerabilities before discussing them publicly, MedSec licensed its research to Muddy Waters so that we could bring these issues to light (without revealing detailed vulnerability information). Muddy Waters has engaged MedSec as consultants in addition to licensing its research on STJ. MedSec is receiving compensation related to investment profits from the funds Muddy Waters manages.
MedSec has given Muddy Waters multiple demonstrations evidencing how hollow STJ’s device security is. To illustrate the severity of these vulnerabilities, MedSec demonstrated two types of attacks that could do severe harm to devices and users, and theoretically could be deployed on a large scale.
In addition to making an investment case, the purpose of this report is to inform device users and their physicians of these risks. MedSec and we believe that users have a right to know that there are serious security problems with their implanted Cardiac Devices, and the related devices. However, we are withholding and redacting technical information that could give potential attackers a roadmap.
We are unaware of any imminent threat to patient safety. However, we believe it is prudent from a security standpoint for STJ to immediately disable the RF capability of patients’ implanted devices. Regardless, Cardiac Device users should speak with their physicians about the risks. Muddy Waters is providing the United States Food and Drug Administration and Department of Homeland Security with a version of this report, and expects to facilitate dialogue between the agencies and MedSec.
As we detail in this report, Muddy Waters believes there is a strong possibility that STJ will need to recall its pacemakers, ICDs, and CRTs while it hardens security of the device ecosystem. This recall would likely entail a moratorium on sales of these devices, and we estimate this moratorium would be effective for a remediation period of at least two years.
The devices MedSec studied, and that formed the basis for these conclusions included pacemakers and ICDs; but, did not include CRTs. Because the CRTs are compatible with the compromised [email protected] devices, this report assumes that they have similar vulnerabilities, and should also be recalled and remediated. (Were the CRTs not to have the expected or similar vulnerabilities, then the products would not need to be recalled.)
The [email protected] devices were obtained second hand – often from online vendors. The programmers were obtained via a third party partnership with a licensed physician. The observations regarding device security in this report are derived from the substantial majority of devices studied, and it is possible that newer versions of these devices have some security enhancements that could eliminate some seemingly minor vulnerabilities in those particular devices.
However, even if new generations of devices have some enhancements, we still view the entire ecosystem as greatly compromised. There are likely hundreds of thousands of [email protected] devices with easily exploitable vulnerabilities in the world, and vulnerable devices are easily purchased online for no more than $35. This train has already