Block warned that tens of thousands of Americans are living with ticking time bombs: St. Jude pacemakers and defibrillators that are easily compromised, causing potentially fatal disruptions.
Muddy Waters became aware of the potential flaws after a startup cybersecurity company, Miami-based MedSec Holdings Inc., approached the short-selling firm three months ago. The hackers had been working for more than a year, ferreting out security flaws in medical devices made by four leading companies. One stood out from the rest: St. Jude’s products had an “astounding” level of problems, including lack of encryption and authentication between devices, which could allow hackers to tap into implanted devices, said MedSec Chief Executive Officer Justine Bone, herself an experienced hacker.
Bone said her company’s compensation is tied to the success of Block’s trade, an arrangement she knows will lead to some criticism.