{
  "docId": "019dd923-622c-750b-8b96-76efb5813bae",
  "docSlug": "8ff52fe302da",
  "documentTitle": "St. Jude Medical (STJ)",
  "authorId": "51_Muddy_Waters",
  "authorName": "Carson C. Block",
  "documentKindSlug": "research-note",
  "documentKindLabel": "Research note",
  "sourceTypeSlug": "short_seller",
  "sourceTypeLabel": "Short seller",
  "presentationDate": "2016-08-25 00:00:00",
  "orientation": "portrait",
  "aspectRatio": 0.77272725,
  "pageNumber": 8,
  "pageCount": 34,
  "prevPage": 7,
  "nextPage": 9,
  "slideType": "problem_statement",
  "function": "diagnose_problem",
  "density": "dense",
  "nDataPoints": 0,
  "notes": "This slide details specific technical security failures found during research.",
  "elementsJson": [
    "paragraph",
    "bullet_list",
    "footnote"
  ],
  "metadataConfidence": 0.9,
  "imagePath": null,
  "slideHref": "/slides/019dd923-622c-750b-8b96-76efb5813bae/8",
  "deckHref": "/decks/019dd923-622c-750b-8b96-76efb5813bae",
  "deckJsonHref": "/decks/019dd923-622c-750b-8b96-76efb5813bae.json",
  "deckAnchorHref": "/decks/019dd923-622c-750b-8b96-76efb5813bae#slide-8",
  "components": [
    {
      "bbox": null,
      "kind": "callout",
      "text": "There are numerous ways in which the Merlin@home devices violate security standards (and defy logic):",
      "attrs": null,
      "subkind": null,
      "toolName": "Visual emphasis",
      "toolSlug": "visual-emphasis",
      "confidence": null,
      "componentId": "019dd953-1ac3-70f9-854e-c7618aca6e70",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.45,
        "w": 0.78,
        "x": 0.11,
        "y": 0.17
      },
      "kind": "list",
      "text": "No apparent tamper-proofing or hardware identity protection. Unprotected software. Lack of a layered defense. Easy availability of device firmware.",
      "attrs": null,
      "subkind": "bullet",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "5b220a1b-e3e3-4400-a47f-9df93cb5fac7",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.05,
        "w": 0.78,
        "x": 0.11,
        "y": 0.75
      },
      "kind": "paragraph",
      "text": "The first shocking thing one encounters when getting root on the Merlin@home device is unencrypted security information that takes no additional effort to access. This information includes:",
      "attrs": null,
      "subkind": "paragraph",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "58a367cc-1f7c-4344-83a8-a70661bbe529",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.06,
        "w": 0.78,
        "x": 0.11,
        "y": 0.62
      },
      "kind": "paragraph",
      "text": "MedSec believes a software update was likely pushed to some of the Merlin@home devices that made them appear more secure; however, in MedSec's opinion, this update represented a very slight change in security.",
      "attrs": null,
      "subkind": "paragraph",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "ef3bd584-adf1-4232-877b-d48aefc60908",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.06,
        "w": 0.78,
        "x": 0.11,
        "y": 0.09
      },
      "kind": "paragraph",
      "text": "\"Getting root\" on the Merlin@home devices exposes sensitive STJ network credentials. We believe the ease of getting root shows how poor the device security is. MedSec identified three methods to get root on the @home devices.",
      "attrs": null,
      "subkind": "paragraph",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "f54e4045-bf77-4413-a456-847182651a0c",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.06,
        "w": 0.78,
        "x": 0.11,
        "y": 0.85
      },
      "kind": "source-note",
      "text": "11 See https://www.blackhat.com/docs/us-14/materials/us-14-Oh-Reverse-Engineering-Flash-Memory-For-Fun-And-Benefit-WP.pdf\n12 Devices manufactured in 2016 are difficult to obtain on the secondary market. MedSec was able to obtain one such device, and was able to get root using a previously identified exploit.",
      "attrs": null,
      "subkind": null,
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "dba4d4f3-8891-45a8-bbde-db360481fd1e",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.02,
        "w": 0.35,
        "x": 0.11,
        "y": 0.71
      },
      "kind": "title",
      "text": "Getting Root Opens the Door",
      "attrs": null,
      "subkind": "action-title",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "874473a9-429e-4370-8c7c-1f6cc684df4f",
      "frameworkName": null,
      "frameworkSlug": null
    }
  ],
  "metrics": [],
  "tools": [],
  "frameworks": [],
  "arcBeats": [
    {
      "to": 9,
      "from": 8,
      "beatId": "716e823d-942f-4aa0-b02d-57823f8af9bd",
      "arcName": "Problem-Agitate-Solution",
      "arcSlug": "problem-agitate-solution",
      "beatName": "Problem (Identify pain)",
      "beatSlug": "problem-agitate-solution-problem-identify-pain",
      "evidence": "The document identifies the problem of security vulnerabilities in St. Jude Medical's cardiac device ecosystem",
      "position": 0,
      "confidence": 0.8,
      "parentBeatName": "Complication",
      "parentBeatSlug": "complication"
    }
  ],
  "loops": [],
  "imagePathAlt": null,
  "thumbSrc": null,
  "thumbSrcAlt": null,
  "locked": true
}