Security Startup MedSec Shorts St. Jude Medical Stock To Punish It For Flimsy Pacemaker Security

from the broken-workarounds-for-a-broken-system dept

Wed, Aug 31st 2016 6:34am — Karl Bode

The one-two punch of incompetent IT administrators and botched connected device security has resulted in an unsurprising spike in ransomeware attacks across the medical industry. And while the rise in easily hacked "smart" TVs, tea kettles, and kids toys is superficially funny in the consumer internet of things space, it's less amusing when you're a patient relying on poorly secured pace makers and essential medical equipment. But much like the internet of things space these devices are not only poorly secured, they're supported by companies that aren't very good at releasing timely security updates.

Case in point: a team of hackers working for cybersecurity startup MedSec found a bevy of flaws in medical devices sold by St. Jude Medical Inc, ranging from a lack of overall encryption to vulnerabilities letting unauthorized devices communicate with the company's pacemakers and defibrillators. And while we've talked about the threat of hackable pacemakers for more than a decade, hackers are increasingly worming their way into poorly secured radiology equipment, blood gas analyzers and other hospital and nursing home equipment to steal data for identity theft, giving the threat an added dimension.

According to MedSec Chief Executive Officer Justine Bone, St. Jude has a long history of implementing sub-standard security, and then doing little to nothing once these vulnerabilities are pointed out:

"As far as we can tell, St. Jude Medical has done absolutely nothing to even meet minimum cybersecurity standards, in comparison to the other manufacturers we looked at that have made efforts," Bone said. There are steps St. Jude can take relatively quickly to protect patients, including changing the programming of implanted pacemakers and defibrillators through a method that would involve a doctor’s visit, she said.

So MedSec tried something relatively unique. Historically, many hackers and security firms either contact companies to alert them to vulnerabilities, or try to sell the not-yet-public vulnerabilities to corporate espionage and security firms or government agencies, who then happily exploit any impacted, unpatched systems (in this case, with potentially fatal results). But MedSec did something notably different. It reached out to the Muddy Waters Capital LLC investment firm, suggesting a partnership to short sell St. Jude stock before reporting the vulnerabilities to the FDA. Under the deal, MedSec makes more money the further shares fall.

The report has been posted to the Muddy Waters website (pdf), with both companies standing to profit should the company's stock price take a tumble (which has already begun, with the stock dropping 12% before trading being halted). The timing is trouble for St. Jude, which is in the process of finalizing a potential $25 billion acquisition by Abbott Laboratories. MedSec, for what it's worth, says they only took this route because they believed St. Jude would either ignore the vulnerabilities or engage in legal hostilities:

"We were worried that they would sweep this under the rug or we would find ourselves in some sort of a hush litigation situation where patients were unaware of the risks they were facing," said Bone, an experienced security researcher and the former head of risk management for Bloomberg LP, the parent of Bloomberg News. "We partnered with Muddy Waters because they have a great history of holding large corporations accountable."

Unsurprisingly, the decision to punish St. Jude in this fashion immediately triggered an ethics debate in the hacker and security community. Some were quick to argue that failing to update necessary medical equipment was the real ethics violation. Some believe both St. Jude and Muddy Waters are being intentionally misleading for the sake of profit and marketing, and others are solely appalled by the short selling tactic itself. In the latter category sits security researcher Kenn White, who called the moved little more than "pure naked greed":

Let's not dance around it. Everything about this MedSec/Muddy Waters scheme is grossly unethical. Pure naked greed. pic.twitter.com/qj5yDgxtuM
— Kenn White (@kennwhite) August 25, 2016

Not too surprisingly, St. Jude was quick to issue a statement claiming MedSEC used "flawed test methodology on outdated software," demonstrating "lack of understanding of medical device technology.":

"We have examined the allegations made by Capital and MedSec on August 25, 2016 regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading. Our top priority is to reassure our patients, caregivers and physicians that our devices are secure and to ensure ongoing access to the proven clinical benefits of remote monitoring. St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions."

MedSec says it found two 0 day exploits opening pacemakers to attack, either by draining the battery or crashing the device software (both require being relatively close to the target). But the group also found that the company's pacemakers often use no encryption nor authentication over wireless, and the devices all use the same password to connect to the St Jude network, opening the door to a reverse engineering hack on the network at large. MedSec and Muddy Waters continue to insist the company's history indicates it would not have fixed the vulnerabilities in a timely fashion using traditional reporting methods and bounties.

Regardless of which side you believe is being more or less self-serving, punishing companies for their security incompetence using the only language they truly understand adds a massive and interesting new wrinkle in the never-ending debate over hacking ethics, and the over-arching quest to bring some accountability to companies still treating life-protecting security like an annoying afterthought.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cybersecurity, internet of things, pacemaker, security, short selling
Companies: medsec, muddy waters, st. jude medical

40 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 31 Aug 2016 @ 6:47am

"Pure naked greed" But, is it, really? It's probably the only action preventing St. Jude Medical from using the go-to option for most companies exposed for their abhorrent security practices: a court case. If they do decide to go the nuclear option, I'm quite sure this money will be used to mount a legal defense. Some say greed, I say planning for success.
[ link to this | view in chronology ]
- JMT (profile), 31 Aug 2016 @ 6:02pm
  
  Re:
  Even if there is some element of greed here, calling it "pure" completely ignores the huge societal benefit to this problem being made public. Lives are literally at stake, so highlighting it is not just a Good Thing to do, it's morally imperative.
  [ link to this | view in chronology ]
Tim R (profile), 31 Aug 2016 @ 7:34am

Parallels
The only thing that bothers me here is that we're seeing basically the same thing that happened with Gawker: somebody with deep pockets trying to run another company down. In Gawker's case, it was litigating out of existence. In St. Jude's, it's driving the stock price down. Now, the argument can be made that motivations were different, that MedSEC is maybe a shred more altruistic than Theil, and that this isn't anywhere near likely to put St. Jude out of business (not directly, anyway), but it's still an interesting thought exercise.

Just throwing that out there.
[ link to this | view in chronology ]
- Doug (profile), 31 Aug 2016 @ 8:37am
  
  Re: Parallels
  I don't think this is the same at all. No one is using their money to run down St. Jude's. They are using information about St. Jude's behavior. And they aren't directly costing St. Jude money. St. Jude doesn't have to directly spend money in response to this.
  
  Their stock price may go down, and that can be viewed as a loss, but it's only a loss on paper in the near term. St. Jude could prevent any loss in stock price by behaving better. Even if their stock price fell to zero, they could still continue as a business in theory. For example, if their customers didn't walk away.
  [ link to this | view in chronology ]
- Anonymous Coward, 31 Aug 2016 @ 8:43am
  
  Re: Parallels
  Technically, the share prices can fall to zero, or even go negative without putting the company out of business. After all the company has the money from the original sale, and the value of the shares is what other people value them out.
  Share price however can impact the board as the share holders can decide to replace some or all of its members..
  [ link to this | view in chronology ]
Anonymous Coward, 31 Aug 2016 @ 7:38am

MedSec and Muddy Waters should be applauded for engaging in this scheme. St Jude was warned about the security vulnerabilities and they did nothing about it. By punishing companies and entities that have security vulnerabilities is the only way that they will learn and fix their security holes before someone without ethics or morals comes along and creates serious problems for those companies and entities.

It's like these idiots who discover security holes in a company's website. Every time someone alerts them to a security issue, they are charged with hacking that company's website. If anyone had any brains, they would release those security holes on the internet and then sit back and wait for those companies to fix their security issues.
[ link to this | view in chronology ]
- Scott Yates (profile), 31 Aug 2016 @ 7:43am
  
  Re:
  I thought the story indicated that they did NOT inform St. Jude about the problems prior to release because they feared how they would react.
  [ link to this | view in chronology ]
  - MDT (profile), 31 Aug 2016 @ 2:16pm
    
    Re: Re: Told
    I think the original commentor means that St. Jude has a history of ignoring notifications of security issues, and therefore, that St. Jude deserves whatever the hell happens to them.
    [ link to this | view in chronology ]
- JonK (profile), 9 Sep 2016 @ 8:32pm
  
  Re: Applauding Scheme
  After 45+ years of working in/with Federal Government Agencies (FGA) & large corporations (Corps), I have to agree that both have neither morals or ethics, nor do the people running these organizations think that they should, and worse yet to me, neither does the judiciary that judge their actions. Both FGA and Corps state that the only thing that's important is giving a good return to those that support them. For FGA it is the President, his/her advisers, and Congress. For Corps it is cash to the stockholders. So, punishing either by reducing available cash or stock price, is more likely to work than appealing to their non-existent morals or ethics.
  
  on the 2nd point, broadcasting a security vulnerability seems both immoral & unethical to me. I think that a more comfortable path (for my own morals & ethics at least) would be to follow a traditional path of releasing the security holes to one of the government agencies (e.g. https://www.us-cert.gov/) or commercial groups (e.g. https://www.cve.mitre.org/ that supports such reporting.
  [ link to this | view in chronology ]
Scott Yates (profile), 31 Aug 2016 @ 7:42am

Question from ignorance
Please pardon my ignorance, but this SEEMS like insider trading. Could someone with more experience and knowledge in this realm help me better understand why it is or is not?

Thank you.
[ link to this | view in chronology ]
- Anonymous Coward, 31 Aug 2016 @ 7:51am
  
  Re: Question from ignorance
  Nope.
  Insider trading involves people INSIDE the company using not publicly available information to profit. For example, an earnings report, or merger.
  
  In this case, people outside the company, used publicly available information to deduce a security flaw. anyone could have done the same thing.
  [ link to this | view in chronology ]
  - Scott Yates (profile), 31 Aug 2016 @ 7:52am
    
    Re: Re: Question from ignorance
    I see. Thank you!
    [ link to this | view in chronology ]
  - Norahc (profile), 1 Sep 2016 @ 5:33am
    
    Re: Re: Question from ignorance
    But was the information publicly available? My take is they found the flaws, set up to short sale the stock THEN made the info available. Seems like stock manipulation to me, but what do I know?
    [ link to this | view in chronology ]
- Anonymous Coward, 31 Aug 2016 @ 7:59am
  
  Re: Question from ignorance
  IANAL, but i believe insider trading only exists when you are trading on confidential insider information. Assuming the actors here went out and purchased the devices like anyone else can, there research is derived from publicly available information and there is nothing confidential involved, particularly as they are not "insiders" to St Jude's. Perhaps someone will try and throw CFAA/DMCA at them somehow, but the trading likely is legal (if not entirely ethical/moral).
  [ link to this | view in chronology ]
- Anonymous Coward, 31 Aug 2016 @ 8:36am
  
  Re: Question from ignorance
  It's normal for people to analyze a company by looking at public information, and then make decisions like buying/selling/shorting based on their private analysis. There's some interesting novelty in this case, but I don't think it's really that different—they're asking "is the company's software as secure as they claim?", where traditionally people have asked "are their finances as secure as they claim?". There's generally no duty to publish research you performed when making decisions about a public company (things could be different if you're an insider, or got information from an insider, or hold a significant or controlling interest—but the software is publically available and implanted in members of the general public).
  
  Releasing information for the purposes of manipulating a stock could be illegal, but I think the information would have to be false or misleading. Buying/selling/shorting purely to manipulate the price could be illegal too, but I don't think that's what happened. Probably, they analyzed the software and thought other investors have been buying without fully understanding the company. It's basically "value investing".
  [ link to this | view in chronology ]
- Anonymous Coward, 31 Aug 2016 @ 8:45am
  
  Re: Question from ignorance
  It could be market manipulation, specifically Stock Bashing, if they're really taking actions for the purpose of "punishing" a company. They should be careful with such claims; but I suspect "punishing" is a reporter's exaggeration and not an actual claim they made.
  [ link to this | view in chronology ]
- Anonymous Coward, 31 Aug 2016 @ 9:28am
  
  Re: Question from ignorance
  No, as there are no insiders involved here, it's not insider trading. It may, however, be stock manipulation, which is also an offense under SEC rules.
  [ link to this | view in chronology ]
- TruthHurts (profile), 31 Aug 2016 @ 11:59am
  
  Re: Question from ignorance
  If the 2 entities involved "schemed" to undercut the price of the stocks to make money off of the deal, it would still be stock fraud, and is very akin to insider trading as "details" unknown to even the "company" were shared with "investors" before leaking a "story" intentionally desined to tank the stock allowing for a short sell.
  
  I hope to see MedSec's officers behind bars.
  [ link to this | view in chronology ]
  - Anonymous Coward, 31 Aug 2016 @ 1:17pm
    
    Re: Re: Question from ignorance
    I hope to see MedSec's officers behind bars.
    
    You might, but if they are this savvy, I doubt they will blow their earnings on binge drinking at local bars. You might see them buying everybody a round at the bar, though. Courtesy of St. Jude's terrible security practices, of course. :)
    [ link to this | view in chronology ]
Anonymous Coward, 31 Aug 2016 @ 7:55am

It's not insider trading. It's called a "short sale". This happens when a short seller borrows the shares and sells them, expecting they will be cheaper to buy back in the future. The owner is not notified the shares are loaned to the short seller, but this action does not impede the owner from selling at any time.

This happens all the time. You are essentially gambling on the fact that the stock will drop in price and that's where you profit from the short sell.

IN this scheme, you don't actually own the stock you're short selling and you're betting that you'll be able to buy back the stock at a lower price when the stock drops.

Instead of buy low and sell high, you're doing this in reverse. But, there is risk if the owner of the stock finds out what you're doing and sells the stock before you can 'short sell'.
[ link to this | view in chronology ]
Anonymous Coward, 31 Aug 2016 @ 8:03am

Just a question
What has short selling to do with the company losing money? Wouldn't the result be the same even without short selling?
I'm under the impression that the flaws made the stock go down and not the shortselling. If this is the case the shortselling part is only to get money (or be paid if you prefere) for the discovery of the flwas.
[ link to this | view in chronology ]
- Anonymous Coward, 31 Aug 2016 @ 8:41am
  
  Re: Just a question
  > What has short selling to do with the company losing money?
  
  Technically, nothing. A company is not directly affected by their stock price, unless they happen to own shares of their own stock. But realistically, they may want to create and sell new shares in the future, and a lower stock price means they'll get less money. (Conversely, if they believe the security claims are overblown, they can make a public statement to that effect—so that there won't be "insider information"—and then offer to buy back shares at the new, lower, price. And sell them again when go back to the "proper" price.)
  [ link to this | view in chronology ]
- Anonymous Coward, 31 Aug 2016 @ 9:00am
  
  Re: Just a question
  If the company intended to sell more shares later, or to use employee stock options to reward its employees, then driving down its share price interferes with those goals.
  
  It is common in some industries that high level executives (most of whom are not actually valuable employees) and valuable employees (most of whom are not actually high level executives) are given an option to purchase company shares at $N, with the expectation that the option is exercised when the fair market value of the shares is $(N + M) for M greater than 0. Such an exercise is profitable for the employee, particularly if they can meet certain tax requirements to reduce the taxes owed on the exercise. If this short sell causes the fair market value to be less than $N, then M is less than zero and the employees are better off buying the shares on the open market (or not at all) than they are exercising the option. At that point, having the option is no longer a reward because it cannot be turned into profit. This can be particularly painful for executives who expected to receive 6-figure or 7-figure profits based on (number of shares) * M, who now find themselves unable to receive any of that profit. Even worse, if they had exercised the option (which cost them $N per share) but not sold it yet (for tax reasons), they are now looking at an unrealized loss of $(N - FMV) for tax purposes.
  
  In sum, driving down the share price hurts the company by hurting people it tried to reward with stock grants, who will now be unhappy that their grants are worthless or a money sink. With luck, they will vent their unhappiness toward the company for putting itself into the position that the short-sellers were so effective.
  [ link to this | view in chronology ]
Richard M (profile), 31 Aug 2016 @ 8:24am

My First Thought: The Runaway Jury
Reminds me of the Grisham novel The Runaway Jury.

I personally do not see the problem as long as the info on the security problems is correct. We have been seeing a lot of companies just sweep these issues under the rug and not spending the time and money to fix them. Hitting the shareholders in the pocket may be the only way to get them to act.

The only problem I see is if people start using fake security problems to try and drive down stock prices and make money off of it.
[ link to this | view in chronology ]
- Ninja (profile), 31 Aug 2016 @ 8:35am
  
  Re: My First Thought: The Runaway Jury
  That. But such tactics will not work if the company is known to be fast in fixing their stuff. Flaws happen, the problem is if they are too common and/or if the company doesn't give a shit about them and simply don't fix them. COUGH*CELL PHONE MANUFACTURERS*COUGH
  [ link to this | view in chronology ]
Ninja (profile), 31 Aug 2016 @ 8:32am

No worries, you can always walk around in one of those or you can go medieval and opt for a beautiful wearable Faraday cage for style.

Where digital security fails you, physics come to the rescue. Or something. Yay?
[ link to this | view in chronology ]
Anonymous Coward, 31 Aug 2016 @ 8:52am

Puns galore
MedSec CEO, Justine Bone is looking to enter the muddy waters of ethics by punishing St. Jude in the securities market for the lax security of their medical devices.
[ link to this | view in chronology ]
JoeCool (profile), 31 Aug 2016 @ 9:56am

Right on the money.
"We were worried that they would sweep this under the rug or we would find ourselves in some sort of a hush litigation situation where patients were unaware of the risks they were facing," said Bone,

So what did St. Jude do? They immediately swept the report under the rug. Look for a lawsuit in the near future.
[ link to this | view in chronology ]
PRMan (profile), 31 Aug 2016 @ 9:57am

Close?
If you're that close, you could use a knife or a gun.

While this is a concern, a murderer is a murderer and will find any means necessary to murder.
[ link to this | view in chronology ]
- Anonymous Coward, 31 Aug 2016 @ 10:17am
  
  Re: Close?
  Yes, but a knife or gun is an obvious, brutal attack that tends to leave witnesses. Walk around with a concealed device looking for vulnerable medical devices and nobody would be the wiser.
  [ link to this | view in chronology ]
Chris Brand, 31 Aug 2016 @ 10:04am

priorities
"Our top priority is to reassure..."

So PR first then ? You would *hope* that their first priority would be to actually investigate the reported vulnerabilities and to develop fixes as necessary.
[ link to this | view in chronology ]
- Anonymous Coward, 31 Aug 2016 @ 10:18am
  
  Re: priorities
  The playing with language ticks me off. I cringe when I hear the TSA or any authority say people want to "feel" safe. No, I want to actually "be" safe, not just "feel" safe.
  [ link to this | view in chronology ]
That One Guy (profile), 31 Aug 2016 @ 12:22pm

When in a conversation, use a language the other side understands
Given how incredibly hostile and/or dismissive the response tends to be to those that report security vulnerabilities, I find it hard to disagree with their actions here.

They could have reported the problem privately, in which case the two most likely responses would be to ignore it and pretend that nothing had been said, or a lawsuit for hacking of some sort, neither of which would do anything as far as fixing the problems found. By instead hitting them where they can't ignore it, their wallets, St. Jude has a very real motivation to fix the problem rather than ignoring it and pretending it doesn't exist.

Somewhat iffy on the idea of security researchers making money off of reporting vulnerabilities like this, but with so many companies ignoring anything that does't impact their profits something like this does seem like it would be the quickest way to get a company to actually pay attention, so really, the blame rests on the companies for forcing it.
[ link to this | view in chronology ]
- Anonymous Coward, 31 Aug 2016 @ 2:35pm
  
  Re: When in a conversation, use a language the other side understands
  > Somewhat iffy on the idea of security researchers making money off of reporting vulnerabilities like this
  
  Agreed, but a thorough review does take quite a bit of effort, and this is the most creative idea I've seen for how to fund such efforts. Maybe the FDA should be checking security, but they're basically not. St. Jude certainly should be, and obviously they're not. It's not practical for patients to fund things like this. Maybe universities could.
  
  This might be the beginning of a new form of financial analysis. Much like people look over the public financial records—and then buy or sell stocks or make recommendations—they might analyze whatever other data is available: software (security and general quality), hardware quality (e.g. predicting a company will lose money due to shoddy hardware being returned), social media (detect a mass exodus via Linkedin to predict company troubles that haven't been made public)... I never expected that security researchers would be primarily employed by financial investment firms, but it could happen.
  [ link to this | view in chronology ]
Anonymous Coward, 31 Aug 2016 @ 12:23pm

> "details" unknown to even the "company" were shared with "investors" before leaking a "story" intentionally desined to tank the stock allowing for a short sell.

When someone analyzes a public company, there's no requirement that they publish this analysis—even if they invest in the company or share the analysis privately (e.g., financial magazines don't give data to non-subscribers). Nor do they have to share any data with the company or the SEC. This assumes nobody involved is an insider or majority shareholder.

Did they intend to "tank" (i.e. illegally manipulate) the stock? Or were they just releasing truthful information they discovered, which made them think the stock was overvalued? I think there would be serious first-amendment concerns if it's the latter, and malicious intent could be difficult to prove here.
[ link to this | view in chronology ]
Chuck, 31 Aug 2016 @ 6:34pm

I am not a stock broker, but...
According to other comments here, if you short a stock, then release this news, then any rational stockholder is going to sell their stock. Not short sell, but really sell.

So, in other words, wouldn't this end up COSTING MedSec money if it has the actual impact they want it to have? That is, after MedSec short sells, then the actual shareholder sells the actual stock, now MedSec is left holding the bag, no?

Doesn't sound very greedy to me. It's borderline alturistic.
[ link to this | view in chronology ]
- Security_Geek, 2 Sep 2016 @ 10:37am
  
  Re: I am not a stock broker, but...
  MedSec sold short meaning they sold stock they don't own by borrowing it from others. They promise to repurchase it later so need the stock price to fall. The amount of the fall is their profit.
  
  MedSec is a sitting Pennsylvania legislator and a former U.S. Congressman. I am not surprised by the lack of ethical behavior. In the CEO's blog, she didn't even mention attempting to work with St. Jude Medical. She predicted their behavior. She also didn't go to the FDA who regulates medical device security.
  [ link to this | view in chronology ]
Whatever (profile), 1 Sep 2016 @ 2:07am

Trading a stock in any manner with inside information is right on the edge of legality all the time. Knowing a problem exists and taking stock position that would benefit from it's disclosure would appear to be a perfect example.

It certainly makes the MedSec look like scumbags profiting from the failings of others, rather than just reporting things as they find them. Making the report to the FDA without taking a stock position would be the moral thing to do.

Then again, as is often said around here, morals are not the issue.
[ link to this | view in chronology ]
Anonymous Coward, 1 Sep 2016 @ 2:55am

Shit.. Scumbags

They are greedy bastards, nothing near a real security research team.

This is pure and simple greed
[ link to this | view in chronology ]
The Unknown commenter, 8 Sep 2016 @ 11:55am

Federal HHS and HIPAA
I saw no mention of these federal groups, but it seems to me that someone, somewhere put a group of patients that received these devices in grave danger.

HHS drops some pretty big fines... all St Jude has to do is prove that MedSec had accessed a patient list at some time... How would MedSec prove that they did not divulge? I think MedSec(as individuals) is just as guilty as St Jude for a HIPAA violation.

In addition, didn't MedSec sign some type of disclosure agreement? How about a contract violation, at the least?

Ethically, MedSec could have just asked for a release of responsibility for the lack of corrective action... which they were not/could not be responsible for enforcing corrective action in the first place. HIPAA wants all this kind of thing reported. if they were worried, that was the way to go.

Making money on it, then trying to paint yourself as having a conscience, looks pretty awkward.

I don't think that this was a well thought out action.
[ link to this | view in chronology ]