A report on cybersecurity vulnerabilities in St. Jude Medical’s implantable heart devices released last week by short sellers was flawed and didn’t prove the flaws existed, according to a review by University of Michigan researchers.
Shares of St. Jude (STJ) plunged as much as 10% on Aug. 25 after the report of the alleged vulnerabilities was released jointly by cybersecurity research firm MedSec Holdings and investment firm Muddy Waters, which primarily focuses on short selling, or betting that the stock prices of companies it picks will decline.
Though the firms disclosed that they had a joint financial arrangement to profit from a fall in St. Jude’s stock price, the arrangement was considered highly unusual. Security researchers usually first approach the subject of their vulnerability analysis before going public.
Get Data Sheet, Coins2Day’s technology newsletter.
But now other researchers are questioning the MedSec report, which claimed that pacemakers and implantable defibrillators sold by St. Jude could be hacked in ways that could jeopardize a user’s safety. The implanted devices have wireless radios to connect to a home monitoring station that can then back up data to St. Jude.
“We’re not saying the report is false,” Kevin Fu, associate professor of computer science and engineering and director of the Archimedes Center for Medical Device Security at University of Michigan, said in a statement. “We’re saying it’s inconclusive because the evidence does not support their conclusions. We were able to generate the reported conditions without there being a security issue.”
Screen shots of error messages cited by MedSec as proof of the vulnerabilities did not prove that any security flaws existed, the Michigan researchers said. “In layman’s terms, it’s like claiming that hackers took over your computer, but then later discovering that you simply forgot to plug in your keyboard,” Fu said.
St. Jude, which is the midst of being acquired by Abbott Labs (ABT) for $25 billion, had also pushed back hard last week against the allegations. It said the report analyzed outdated software and demonstrated a “fundamental lack of understanding of medical device technology.”
Security expert Robert Graham also challenged some of the MedSec findings on his blog, Erratta Security, on Friday.
“There are many ethical issues, but the first should be dishonesty and spin of the Muddy Waters research report,” Graham wrote. “The report is clearly designed to scare other investors to drop St. Jude stock price in the short term so that Muddy Waters can profit. It’s not designed to withstand long term scrutiny. It’s full of misleading details and outright lies.”
Shares of St. Jude, which had already recovered some of last week’s drop, were quoted at $79.45 in after hours trading on Monday. That’s still down 3% from before the MedSec report was released and below Abbott Lab’s $85 a share takeover price.