Short seller Muddy Waters brought third party security experts in this week to bolster its claims in court that kit developed by medical device biz St Jude Medical contains potentially life-threatening flaws.
A 53-page report from IT security consultancy Bishop Fox was filed in a Minnesota federal court to back-up the claims that St Jude’s cardiac implants are susceptible to hackers.
The medical device company is suing Muddy Waters and medical IoT security firm MedSec for intentionally going public with false information about its equipment in a bid to manipulate the stock market.
When the companies went public with their assertions in August, the stock price of St Jude fell some 5%, allowing Muddy Waters to generate profits from short selling the stocks.
In response to the new document, St Jude issued a statement claiming its lawyers are reviewing the Bishop Fox report and would respond in due course.
"We continue to feel this lawsuit is the best course of action to make sure those looking to profit by trying to frighten patients and caregivers are held accountable for their actions,” it added, according to Reuters.
The report is authored by Bishop Fox partner Carl Levitt, and claims that MedSec/Muddy Waters’ original claims are pretty much accurate.
It explains:
“St. Jude Medical cardiac devices has [sic] serious security vulnerabilities that make it possible to convert Merlin@home devices into weapons capable of disabling therapeutic care and delivering shocks to patients at distances of 10 feet, a range that could be extended using off-the-shelf parts to modify Merlin@home units.”
The situation is about as far from a normal responsible vulnerability disclosure process as one could get, with one side choosing to go public with the bugs it found in order to make money by short selling and the other responding with legal action.
Lamar Bailey, senior director of security and R&D at Tripwire, commented that lawsuits like these are among the biggest fears for security researchers.
“Most white hat researchers work through a responsible disclosure process to help the company with the offending product get a fix deployed before information is released publically but this takes work from both sides,” he added.
“Unfortunately we are seeing a trend where many companies outside of the legacy IT industry do not know how to respond to security concerns, choose to ignore them, or threaten the researchers. For the process to work both sides must be willing to work together for the greater good.”