Security Startup MedSec Shorts St. Jude Medical Stock To Punish It For Flimsy Pacemaker Security
from the broken-workarounds-for-a-broken-system dept
The one-two punch of incompetent IT administrators and botched connected device security has resulted in an unsurprising spike in ransomeware attacks across the medical industry. And while the rise in easily hacked "smart" TVs, tea kettles, and kids toys is superficially funny in the consumer internet of things space, it's less amusing when you're a patient relying on poorly secured pace makers and essential medical equipment. But much like the internet of things space these devices are not only poorly secured, they're supported by companies that aren't very good at releasing timely security updates.Case in point: a team of hackers working for cybersecurity startup MedSec found a bevy of flaws in medical devices sold by St. Jude Medical Inc, ranging from a lack of overall encryption to vulnerabilities letting unauthorized devices communicate with the company's pacemakers and defibrillators. And while we've talked about the threat of hackable pacemakers for more than a decade, hackers are increasingly worming their way into poorly secured radiology equipment, blood gas analyzers and other hospital and nursing home equipment to steal data for identity theft, giving the threat an added dimension.
According to MedSec Chief Executive Officer Justine Bone, St. Jude has a long history of implementing sub-standard security, and then doing little to nothing once these vulnerabilities are pointed out:
"As far as we can tell, St. Jude Medical has done absolutely nothing to even meet minimum cybersecurity standards, in comparison to the other manufacturers we looked at that have made efforts," Bone said. There are steps St. Jude can take relatively quickly to protect patients, including changing the programming of implanted pacemakers and defibrillators through a method that would involve a doctor’s visit, she said.So MedSec tried something relatively unique. Historically, many hackers and security firms either contact companies to alert them to vulnerabilities, or try to sell the not-yet-public vulnerabilities to corporate espionage and security firms or government agencies, who then happily exploit any impacted, unpatched systems (in this case, with potentially fatal results). But MedSec did something notably different. It reached out to the Muddy Waters Capital LLC investment firm, suggesting a partnership to short sell St. Jude stock before reporting the vulnerabilities to the FDA. Under the deal, MedSec makes more money the further shares fall.
The report has been posted to the Muddy Waters website (pdf), with both companies standing to profit should the company's stock price take a tumble (which has already begun, with the stock dropping 12% before trading being halted). The timing is trouble for St. Jude, which is in the process of finalizing a potential $25 billion acquisition by Abbott Laboratories. MedSec, for what it's worth, says they only took this route because they believed St. Jude would either ignore the vulnerabilities or engage in legal hostilities:
"We were worried that they would sweep this under the rug or we would find ourselves in some sort of a hush litigation situation where patients were unaware of the risks they were facing," said Bone, an experienced security researcher and the former head of risk management for Bloomberg LP, the parent of Bloomberg News. "We partnered with Muddy Waters because they have a great history of holding large corporations accountable."Unsurprisingly, the decision to punish St. Jude in this fashion immediately triggered an ethics debate in the hacker and security community. Some were quick to argue that failing to update necessary medical equipment was the real ethics violation. Some believe both St. Jude and Muddy Waters are being intentionally misleading for the sake of profit and marketing, and others are solely appalled by the short selling tactic itself. In the latter category sits security researcher Kenn White, who called the moved little more than "pure naked greed":
Let's not dance around it. Everything about this MedSec/Muddy Waters scheme is grossly unethical. Pure naked greed. pic.twitter.com/qj5yDgxtuM
— Kenn White (@kennwhite) August 25, 2016
"We have examined the allegations made by Capital and MedSec on August 25, 2016 regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading. Our top priority is to reassure our patients, caregivers and physicians that our devices are secure and to ensure ongoing access to the proven clinical benefits of remote monitoring. St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions."MedSec says it found two 0 day exploits opening pacemakers to attack, either by draining the battery or crashing the device software (both require being relatively close to the target). But the group also found that the company's pacemakers often use no encryption nor authentication over wireless, and the devices all use the same password to connect to the St Jude network, opening the door to a reverse engineering hack on the network at large. MedSec and Muddy Waters continue to insist the company's history indicates it would not have fixed the vulnerabilities in a timely fashion using traditional reporting methods and bounties.
Regardless of which side you believe is being more or less self-serving, punishing companies for their security incompetence using the only language they truly understand adds a massive and interesting new wrinkle in the never-ending debate over hacking ethics, and the over-arching quest to bring some accountability to companies still treating life-protecting security like an annoying afterthought.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, internet of things, pacemaker, security, short selling
Companies: medsec, muddy waters, st. jude medical
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
Parallels
Just throwing that out there.
[ link to this | view in thread ]
It's like these idiots who discover security holes in a company's website. Every time someone alerts them to a security issue, they are charged with hacking that company's website. If anyone had any brains, they would release those security holes on the internet and then sit back and wait for those companies to fix their security issues.
[ link to this | view in thread ]
Question from ignorance
Thank you.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Question from ignorance
Insider trading involves people INSIDE the company using not publicly available information to profit. For example, an earnings report, or merger.
In this case, people outside the company, used publicly available information to deduce a security flaw. anyone could have done the same thing.
[ link to this | view in thread ]
Re: Re: Question from ignorance
[ link to this | view in thread ]
This happens all the time. You are essentially gambling on the fact that the stock will drop in price and that's where you profit from the short sell.
IN this scheme, you don't actually own the stock you're short selling and you're betting that you'll be able to buy back the stock at a lower price when the stock drops.
Instead of buy low and sell high, you're doing this in reverse. But, there is risk if the owner of the stock finds out what you're doing and sells the stock before you can 'short sell'.
[ link to this | view in thread ]
Re: Question from ignorance
[ link to this | view in thread ]
Just a question
I'm under the impression that the flaws made the stock go down and not the shortselling. If this is the case the shortselling part is only to get money (or be paid if you prefere) for the discovery of the flwas.
[ link to this | view in thread ]
My First Thought: The Runaway Jury
I personally do not see the problem as long as the info on the security problems is correct. We have been seeing a lot of companies just sweep these issues under the rug and not spending the time and money to fix them. Hitting the shareholders in the pocket may be the only way to get them to act.
The only problem I see is if people start using fake security problems to try and drive down stock prices and make money off of it.
[ link to this | view in thread ]
Where digital security fails you, physics come to the rescue. Or something. Yay?
[ link to this | view in thread ]
Re: My First Thought: The Runaway Jury
[ link to this | view in thread ]
Re: Question from ignorance
Releasing information for the purposes of manipulating a stock could be illegal, but I think the information would have to be false or misleading. Buying/selling/shorting purely to manipulate the price could be illegal too, but I don't think that's what happened. Probably, they analyzed the software and thought other investors have been buying without fully understanding the company. It's basically "value investing".
[ link to this | view in thread ]
Re: Parallels
Their stock price may go down, and that can be viewed as a loss, but it's only a loss on paper in the near term. St. Jude could prevent any loss in stock price by behaving better. Even if their stock price fell to zero, they could still continue as a business in theory. For example, if their customers didn't walk away.
[ link to this | view in thread ]
Re: Just a question
Technically, nothing. A company is not directly affected by their stock price, unless they happen to own shares of their own stock. But realistically, they may want to create and sell new shares in the future, and a lower stock price means they'll get less money. (Conversely, if they believe the security claims are overblown, they can make a public statement to that effect—so that there won't be "insider information"—and then offer to buy back shares at the new, lower, price. And sell them again when go back to the "proper" price.)
[ link to this | view in thread ]
Re: Parallels
Share price however can impact the board as the share holders can decide to replace some or all of its members..
[ link to this | view in thread ]
Re: Question from ignorance
[ link to this | view in thread ]
Puns galore
[ link to this | view in thread ]
Re: Just a question
It is common in some industries that high level executives (most of whom are not actually valuable employees) and valuable employees (most of whom are not actually high level executives) are given an option to purchase company shares at $N, with the expectation that the option is exercised when the fair market value of the shares is $(N + M) for M greater than 0. Such an exercise is profitable for the employee, particularly if they can meet certain tax requirements to reduce the taxes owed on the exercise. If this short sell causes the fair market value to be less than $N, then M is less than zero and the employees are better off buying the shares on the open market (or not at all) than they are exercising the option. At that point, having the option is no longer a reward because it cannot be turned into profit. This can be particularly painful for executives who expected to receive 6-figure or 7-figure profits based on (number of shares) * M, who now find themselves unable to receive any of that profit. Even worse, if they had exercised the option (which cost them $N per share) but not sold it yet (for tax reasons), they are now looking at an unrealized loss of $(N - FMV) for tax purposes.
In sum, driving down the share price hurts the company by hurting people it tried to reward with stock grants, who will now be unhappy that their grants are worthless or a money sink. With luck, they will vent their unhappiness toward the company for putting itself into the position that the short-sellers were so effective.
[ link to this | view in thread ]
Re: Question from ignorance
[ link to this | view in thread ]
Right on the money.
So what did St. Jude do? They immediately swept the report under the rug. Look for a lawsuit in the near future.
[ link to this | view in thread ]
Close?
While this is a concern, a murderer is a murderer and will find any means necessary to murder.
[ link to this | view in thread ]
priorities
So PR first then ? You would *hope* that their first priority would be to actually investigate the reported vulnerabilities and to develop fixes as necessary.
[ link to this | view in thread ]
Re: Close?
[ link to this | view in thread ]
Re: priorities
[ link to this | view in thread ]
Re: Question from ignorance
I hope to see MedSec's officers behind bars.
[ link to this | view in thread ]
When in a conversation, use a language the other side understands
They could have reported the problem privately, in which case the two most likely responses would be to ignore it and pretend that nothing had been said, or a lawsuit for hacking of some sort, neither of which would do anything as far as fixing the problems found. By instead hitting them where they can't ignore it, their wallets, St. Jude has a very real motivation to fix the problem rather than ignoring it and pretending it doesn't exist.
Somewhat iffy on the idea of security researchers making money off of reporting vulnerabilities like this, but with so many companies ignoring anything that does't impact their profits something like this does seem like it would be the quickest way to get a company to actually pay attention, so really, the blame rests on the companies for forcing it.
[ link to this | view in thread ]
When someone analyzes a public company, there's no requirement that they publish this analysis—even if they invest in the company or share the analysis privately (e.g., financial magazines don't give data to non-subscribers). Nor do they have to share any data with the company or the SEC. This assumes nobody involved is an insider or majority shareholder.
Did they intend to "tank" (i.e. illegally manipulate) the stock? Or were they just releasing truthful information they discovered, which made them think the stock was overvalued? I think there would be serious first-amendment concerns if it's the latter, and malicious intent could be difficult to prove here.
[ link to this | view in thread ]
Re: Re: Question from ignorance
You might, but if they are this savvy, I doubt they will blow their earnings on binge drinking at local bars. You might see them buying everybody a round at the bar, though. Courtesy of St. Jude's terrible security practices, of course. :)
[ link to this | view in thread ]
Re: Re: Told
[ link to this | view in thread ]
Re: When in a conversation, use a language the other side understands
Agreed, but a thorough review does take quite a bit of effort, and this is the most creative idea I've seen for how to fund such efforts. Maybe the FDA should be checking security, but they're basically not. St. Jude certainly should be, and obviously they're not. It's not practical for patients to fund things like this. Maybe universities could.
This might be the beginning of a new form of financial analysis. Much like people look over the public financial records—and then buy or sell stocks or make recommendations—they might analyze whatever other data is available: software (security and general quality), hardware quality (e.g. predicting a company will lose money due to shoddy hardware being returned), social media (detect a mass exodus via Linkedin to predict company troubles that haven't been made public)... I never expected that security researchers would be primarily employed by financial investment firms, but it could happen.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
I am not a stock broker, but...
So, in other words, wouldn't this end up COSTING MedSec money if it has the actual impact they want it to have? That is, after MedSec short sells, then the actual shareholder sells the actual stock, now MedSec is left holding the bag, no?
Doesn't sound very greedy to me. It's borderline alturistic.
[ link to this | view in thread ]
It certainly makes the MedSec look like scumbags profiting from the failings of others, rather than just reporting things as they find them. Making the report to the FDA without taking a stock position would be the moral thing to do.
Then again, as is often said around here, morals are not the issue.
[ link to this | view in thread ]
They are greedy bastards, nothing near a real security research team.
This is pure and simple greed
[ link to this | view in thread ]
Re: Re: Question from ignorance
[ link to this | view in thread ]
Re: I am not a stock broker, but...
MedSec is a sitting Pennsylvania legislator and a former U.S. Congressman. I am not surprised by the lack of ethical behavior. In the CEO's blog, she didn't even mention attempting to work with St. Jude Medical. She predicted their behavior. She also didn't go to the FDA who regulates medical device security.
[ link to this | view in thread ]
Federal HHS and HIPAA
HHS drops some pretty big fines... all St Jude has to do is prove that MedSec had accessed a patient list at some time... How would MedSec prove that they did not divulge? I think MedSec(as individuals) is just as guilty as St Jude for a HIPAA violation.
In addition, didn't MedSec sign some type of disclosure agreement? How about a contract violation, at the least?
Ethically, MedSec could have just asked for a release of responsibility for the lack of corrective action... which they were not/could not be responsible for enforcing corrective action in the first place. HIPAA wants all this kind of thing reported. if they were worried, that was the way to go.
Making money on it, then trying to paint yourself as having a conscience, looks pretty awkward.
I don't think that this was a well thought out action.
[ link to this | view in thread ]
Re: Applauding Scheme
on the 2nd point, broadcasting a security vulnerability seems both immoral & unethical to me. I think that a more comfortable path (for my own morals & ethics at least) would be to follow a traditional path of releasing the security holes to one of the government agencies (e.g. https://www.us-cert.gov/) or commercial groups (e.g. https://www.cve.mitre.org/ that supports such reporting.
[ link to this | view in thread ]