back to article Our pacemakers are totally secure, says short-sold St Jude

The manufacturer of pacemakers and defibrillators has slammed a report by security researchers, arguing it puts patients' lives at risk. On Thursday security startup MedSec claimed that St Jude Medical pacemakers and defibrillators were easily hackable and that hackers could either run down the batteries in patent's implanted …


  1. Sebastian A

    Thankfully the US will soon have a president who'll hold Wall St to account for these kinds of shenanigans. Oh wait...

    1. kain preacher Silver badge

      That's called insider trading. The feds can go after them

      1. Dr_N Silver badge

        US politicians are exempt from insider trading laws.

        Shocking, but true.

      2. Anonymous Coward
        Anonymous Coward

        That's called insider trading. The feds can go after them

        I'm not sure it's insider trading but it sure is a dodgy type of reverse pump & dump. Worth keeping an eye on - especially if the basis of this report turns out to be false there will be all sorts of fun consequences.

        If it is NOT followed up in court I suspect Wall Street will have a new way to manipulate stock without consequences. Not that they appear to need that, but it made a profit. As far as I understand the US brand of capitalism, that appears to function as a sort of universal get-out-of-jail card.

        1. Primus Secundus Tertius Silver badge

          Exactly right, AC!

          Not insider trading, but shaking the market with irresponsible rumours and waiting for the money to fall out.

          Happens in London as well, as I am sure you know.

        2. kain preacher Silver badge


          Insider trading is much different in the US then in the UK. Insider trading is if you have information that is not available to the general public that can affect the share prices and is used to make money off the information. It does not require you to work for the company. IE you find out that a product is about to be labeled defective. The gov is going to issue a recall before making it public.

          1. Anonymous Coward
            Anonymous Coward

            Re: `

            Insider trading is if you have information that is not available to the general public that can affect the share prices and is used to make money off the information.

            Yes, but is it insider trading if you simply make shit up? In that case you're misleading investors by making it appear you have insider information, but in reality you're just trolling a stock to short it. I'm not sure what laws that breaks, but I suspect the SEC may have that answer ready to roll.

  2. Gene Cash Silver badge
    Thumb Up


    Crap security is starting to become a monetary concern to the manufacturers.

    Good! Maybe it'll start being a concern when they code the next product.

    I see they didn't contact the manufacturer, but they sound like the sort of self-rightous "It couldn't happen to OUR product" assholes that would have swept it under the rug and instantly threatened lawsuits. Instead, they got a public beating that seems to have been fairly productive.

    1. Old Handle

      Re: Finally

      Absolutely, I see that as a good thing. Now if it turns out they released bogus information in order to manipulate the stock price, I hope they get in serious trouble, we'll have to wait and see.

  3. Oengus Silver badge

    When there is a quick buck to be made.

    Responsible disclosure rules

    When there is a quick buck to be made most of the "Bloomberg/Dealers/Traders" types will jump at the opportunity and cash in and damn responsible behaviour. Doubly so when there is a "loophole" they think can exploited.

    1. heyrick Silver badge

      Re: When there is a quick buck to be made.

      I think it is simply that "responsible behaviour" is fundamentally incompatible with the market. You can't cash in while being "nice".

  4. Andrew Commons

    Faraday cage?

    "Once the device is implanted into a patient, wireless communication has an approximate 7-foot range."

    Regardless of the sensitivity of the receiver or the strength of the transmitter used by the attacker?

    1. Goopy

      Re: Faraday cage?

      Ya gotta love how MedSec hasn't yet said a word on how they did the tests. Good point, mate!

    2. ecarlseen

      Re: Faraday cage?

      This. Anyone who goes around saying that "the range of this product is x" when they don't control all sides of communication is full of it. It's not just sensitivity and strength - the right antenna(s) make a huge difference as well.

    3. Paul Renault

      Re: Faraday cage?

      I saw that range of 7 feet and through: Whaaa! It should be inches, not feet!

    4. a_yank_lurker Silver badge

      Re: Faraday cage?

      Both sides are probably ladling the BS though I think the company is probably laying out less. The "report" was issued in a manner to cause a share price drop so some short sellers could make a killing (pun intended). These devices are vulnerable because they require a radio link for some of the functionality. However, how easy are the vulnerabilities to exploit is also important. If the company claims are reasonably close to reality then the real story is not they exist but they are difficult use and the vast majority of patients do not need to worry.

  5. paulf Silver badge

    Let's get this straight

    One company finds a security hole in another company's products and accuses that company of not fixing them because they put profit before safety but before disclosing their findings they place a bet on that company's shares in the hope their (disputed) report pushes the share price down which it does thus they make a profit at the expense of the safety that would have resulted from a prompt disclosure.

    Surely this is just a sophisticated pump and dump scam?

    1. Mark 85 Silver badge

      Re: Let's get this straight

      More like market manipulation which can be "pump and dump" but that's something different. I wondering how the SEC will respond to this as this whole scenario does stink to high heaven. While I find it interesting that MedSec would do this, not contacting St. Jude before selling short and announcing really seems unethical to me.

      1. paulf Silver badge

        Re: Let's get this straight

        @ Mark 85 "More like market manipulation..."

        You're right. By means of an excuse, I wrote that comment at 0500 (long story) on BH Monday and as I'd only had one coffee by then the brain was more sludgy than normal. Icon - what I enjoyed several of that evening after a long day.

  6. Ru'

    Surely they could fall foul of all the missuse of computer equipment hacking type charges often levelled at hackers of government systems? It's one thing finding weaknesses and reporting them to the manufacturer so they can be fixed, but quite another making a quick buck first.

    1. Goopy

      Uh, At. Jude isn't a government entity, so how does your guess play out?

  7. moiety

    If the company really has faith in their products, then they can buy their shares back when they're cheap and come out well ahead in the long run.

  8. Clive Harris

    St Jude? What a name!

    St Jude, otherwise known as St Judas, is traditionally the patron saint of lost causes. I'm not sure I'd want his name attached to a vital piece of medical equipment.

    Explanation: St Judas, i.e. the "good Judas", or the "other Judas", seems to have been a good bloke, but had the misfortune to share the same name as the worlds most infamous traitor - a bit like having the surname "Hitler", only worse. As a result, he was going to have a rough ride whatever he did. I think that's why, in some peoples' minds, he ended up as the "Saint of Last Resort", specialising in doomed enterprises.

  9. Natalie Gritpants

    Who wins, who loses?

    Some shareholders have sold at lower than they would have - losers

    The short selling parasites have made some money - winners

    Medsec have blown their reputation for a scummy deal - total losers

    1. katrinab Silver badge

      Re: Who wins, who loses?

      Some shareholders bought shares for a higher price than they would have, had they known the full information about the company that the seller was in possession of.

      Shorting shares works like this: You borrow shares from a mutual fund, pension fund or similar. You sell those shares on the market. You buy them back at the end of the loan period at hopefully a cheaper price than you sold them for, and you hand them back to the lender.

  10. Pascal Monett Silver badge

    "Muddy Waters, the Wall Street firm"

    A Wall Street firm named Muddy Waters.

    Are they actually trying to make people understand what a cesspit the whole Stock Exchange thing has become ?

    1. TechnicalBen Silver badge

      Re: "Muddy Waters, the Wall Street firm"

      This is America. It is probably the founder real life and parent given name.

      1. cd

        Re: "Muddy Waters, the Wall Street firm"

        They re trying to represent themselves as a Blues Chip stock.

  11. lglethal Silver badge

    Two points

    1) How on Earth do you pick up a second hand Pacemaker on ebay?!?!?!?!?!?!??!?!

    2) I hope the SEC Take MedSec and Muddy Waters to the absolute cleaners. this is absolutely disgraceful behavior. Ethics, I'm sure they've heard of them. ("That's that place near Wethics, right?")

    1. Trevor_Pott Gold badge

      Re: Two points

      Company A buys pacemakers to hold them in stock as it is a warehouser or retailer of medical supplies to the Americal private medical industry.

      Company A goes out of business and has its assets sold off to pay creditors.

      Company A assets which cannot be immediately sold via reputable channels are sold to scavengers who specialize in offloading anything and everything on the secondhand market.

      Company B buys pacemaker on ebay from scavenger hawking remains of Company A's assets.

      If you look hard enough, you can find anything excepting better-than-university-grade fissionable material sold in this fashion, but if you work at it you can get some gas centrifuges and ------++++++CARRIER LOST

      1. Alistair Silver badge

        Re: Two points



    2. Queeg

      Re: Two points

      I kid you not...

      It is illegal in most countries to incinerate powered medical devices.

      After death Pacemakers/Defibrilators are removed before cremation.

      They can then be sterilised, tested, recharged and believe it or not

      implanted into Horses* and other large animals.

      Thereby giving plenty of opportunity for 2nd hand equipment to fall into the wrong hands.

      *Got it from the Horses mouth(Cardiologist Consultant)

    3. Andrew Commons

      Re: Two points

      1. Old Handle

        Re: Two points

        Wow, they're cheep! Next time I need a pacemaker I'm getting it on eBay. I'll save a bundle.

        1. Pompous Git Silver badge

          Re: Two points

          Given that my CRT-D is a bit more than just a pacemaker and cost $AU60,000, I suspect that you might get what you pay for on eBay. The voices in my head told me they make you stick your arm out straight and repeatedly say "EX-TERMINATE" and "PUT IT IN THE CURRY" in a somewhat mechanical voice.

          Pakistani Daleks

  12. jjrr

    That's great

    This is the way to go: we'd see some progress if company stocks got whacked every time they release products with lousy security.

    1. sabroni Silver badge

      Re: That's great

      we'd see some progress if company stocks got whacked every time someone released fictional security warnings.

      1. jjrr

        Re: That's great

        That's a fair comment, but it is illegal to manipulate public stock by way of false information. I'd imagine that going all out with a false security advisory is just as illegal as declaring falsely that e.g. a CEO is resigning.

  13. Chris G Silver badge

    The essence of Free Marketeering

    Start a rumour about someone, sell them short and ass rape them, when the smoke has cleared you have their true worth??!!

    Here is Muddy Waters the short seller;

    And here the original Blues guy;

    I know wihich one I prefer.

  14. allthecoolshortnamesweretaken Silver badge

    "Rather than inform the company, MedSec did a deal with a Wall Street firm to short-sell St Jude stock and then go public with the news."

    Oh, the joys of capitalism.

    1. Adam Foxton

      That's not Capitalism.

      That's crime.

      1. Steve Knox Silver badge

        Re: That's not Capitalism.

        That's crime.

        Presumes a significant difference.

  15. tekHedd

    7 feet?

    Ethics aside, has St Jude ever heard of directional antennas?

  16. Adam Foxton

    7 Foot range for an immobile target

    It's a good thing people with Pacemakers are in the peak of physical health and don't need to lay still in, say, a Hospital bed. Or at home. Or sit in a car. Or anywhere else that could be fitted with a pinging 'bug'.

    And that's before all the comments above about different aerials etc kick in.

    1. Donn Bly

      Re: 7 Foot range for an immobile target

      Actually, most people with pacemakers (well, at least 100% of the people that I know that have them) are quite active, often more-so than the average person of their age.

      The reason is that since they have already had a close call they generally aware of he ramifications of a sedentary lifestyle and go out of their way to make sure that it doesn't happen again.

    2. Wayne Sheddan

      Re: 7 Foot range for an immobile target

      Most already carry a wifi 'ping bug' tool. Its called a smartphone... And you're guaranteed that it will be within 2.4Ghz range almost all the time. No need to stay still anyway!

      My guess is the manufacturers are already developing smartphone apps that talk to the implanted devices to enable continuous logging e.g. a smartphone based ECG logger.

      What do you mean when you say my phone is allowed to access the pacemaker in my chest?

  17. rdhood

    7 ft range...

    If the thing is implanted in my chest, it needs to have secure communications at ANY distance. Limiting comms to 7ft... or even 7mm... might prevent a mass attack, but it doesn't prevent a targeted attack.

    1. Pompous Git Silver badge

      Re: 7 ft range...

      As a wearer (?) of a St Jude cardiac resynchronisation device & defibrillator (rather more than a pacemaker) there's a couple of things to note. The device speaks to a box (Merlin@home Transmitter) that I need to sleep near so the CRT-D can tell it when things go awry. The Merlin is connected to the telephone line for the purposes of transmitting data to the St Jude website and which then automatically emails my cardiologist.

      I must be within 3 metres of the Merlin for it to work and that's ~10 feet, not 7. When I asked if information can be transferred from the Merlin to the CRT-D, I was told not. The device the technologist uses to make changes to the CRT-D's settings is via an induction coil that sits on my chest.

      I suspect that in order to change the settings on the CRT-D, potential miscreants would need to lure me within range of a very large induction induction coil, or heavily disguise themselves as my GP and use a stethoscope with an unusually large listening piece.

      Apropos being immobilised by my condition, the reverse is the case. For a decade I was diagnosed as a chronic asthmatic and was always short of breath. By last December I had to stop for a breather after walking a hundred metres. Since the correct diagnosis of heart failure and change in drugs, I have resumed (almost) all of the things I used to be able to do and suspect I'm physically more active than the average joe.

  18. Nya

    Medical Devices

    And hacking of medical devices is new? It, it's the only way many devices actually do what's actually needed due to the piss poor security and the fact with a bit of home fiddling and you can access them far beyond what the manufacturers claim are possible.

    Security to these companies is seen as one of those "not needed" or something they'll only watch what the opensource community is doing to improve their devices and then going out of their way to make it harder to prevent the community having home brew hardware far in advance of that they sell. But security to protect people?! That's never been on the agenda.

    1. Pompous Git Silver badge

      Re: Medical Devices

      it's the only way many devices actually do what's actually needed due to the piss poor security and the fact with a bit of home fiddling and you can access them far beyond what the manufacturers claim are possible.

      The Merlin Programmer is a dedicated device that runs its software on Linux.

      Merlin™ Patient Care System

      I doubt that it's something a "home fiddler" would find in the garage.


POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019