Muddy Waters replies to St Jude Medical

Our friends at Muddy Waters had this reply to St Jude Medical:

This past Friday, STJ published a response to the report MWC issued the day before. STJ’s response contained very little substance, and actually included admissions to several key points. There are no changes to MedSec or our conclusions about the lack of security in the STJ device ecosystem, and our belief in the need for recall and remediation. There were two components to STJ’s response: substance (~20%) and fluff (~80%). We first address the substance.1 1. STJ responded that users would have to be within seven feet of a Merlin@home in order to be vulnerable to attacks, including the attacks that MedSec demonstrated.2 This struck us as a bizarre statement because:

• It acknowledges that the hundreds of thousands of active Merlin@home users who sleep near their Merlin@homes would obviously be vulnerable to a large-scale attack when connected to the devices for a continuous time period. 3 • It completely ignores our comments about broadcasting an attack through a softwaredefined radio (“SDR”), which can be paired with a significantly more powerful antenna. (MedSec has already demonstrated though a proof of concept this is possible via a SDR.) Because the security on the Merlin@home device is seemingly so poor, it would be relatively

Read the rest here