Security Startup MedSec Shorts St. Jude Medical Stock To Punish It For Flimsy Pacemaker Security

from the broken-workarounds-for-a-broken-system dept

The one-two punch of incompetent IT administrators and botched connected device security has resulted in an unsurprising spike in ransomeware attacks across the medical industry. And while the rise in easily hacked “smart” TVs, tea kettles, and kids toys is superficially funny in the consumer internet of things space, it’s less amusing when you’re a patient relying on poorly secured pace makers and essential medical equipment. But much like the internet of things space these devices are not only poorly secured, they’re supported by companies that aren’t very good at releasing timely security updates.

Case in point: a team of hackers working for cybersecurity startup MedSec found a bevy of flaws in medical devices sold by St. Jude Medical Inc, ranging from a lack of overall encryption to vulnerabilities letting unauthorized devices communicate with the company’s pacemakers and defibrillators. And while we’ve talked about the threat of hackable pacemakers for more than a decade, hackers are increasingly worming their way into poorly secured radiology equipment, blood gas analyzers and other hospital and nursing home equipment to steal data for identity theft, giving the threat an added dimension.

According to MedSec Chief Executive Officer Justine Bone, St. Jude has a long history of implementing sub-standard security, and then doing little to nothing once these vulnerabilities are pointed out:

“As far as we can tell, St. Jude Medical has done absolutely nothing to even meet minimum cybersecurity standards, in comparison to the other manufacturers we looked at that have made efforts,” Bone said. There are steps St. Jude can take relatively quickly to protect patients, including changing the programming of implanted pacemakers and defibrillators through a method that would involve a doctor?s visit, she said.

So MedSec tried something relatively unique. Historically, many hackers and security firms either contact companies to alert them to vulnerabilities, or try to sell the not-yet-public vulnerabilities to corporate espionage and security firms or government agencies, who then happily exploit any impacted, unpatched systems (in this case, with potentially fatal results). But MedSec did something notably different. It reached out to the Muddy Waters Capital LLC investment firm, suggesting a partnership to short sell St. Jude stock before reporting the vulnerabilities to the FDA. Under the deal, MedSec makes more money the further shares fall.

The report has been posted to the Muddy Waters website (pdf), with both companies standing to profit should the company’s stock price take a tumble (which has already begun, with the stock dropping 12% before trading being halted). The timing is trouble for St. Jude, which is in the process of finalizing a potential $25 billion acquisition by Abbott Laboratories. MedSec, for what it’s worth, says they only took this route because they believed St. Jude would either ignore the vulnerabilities or engage in legal hostilities:

“We were worried that they would sweep this under the rug or we would find ourselves in some sort of a hush litigation situation where patients were unaware of the risks they were facing,” said Bone, an experienced security researcher and the former head of risk management for Bloomberg LP, the parent of Bloomberg News. “We partnered with Muddy Waters because they have a great history of holding large corporations accountable.”

Unsurprisingly, the decision to punish St. Jude in this fashion immediately triggered an ethics debate in the hacker and security community. Some were quick to argue that failing to update necessary medical equipment was the real ethics violation. Some believe both St. Jude and Muddy Waters are being intentionally misleading for the sake of profit and marketing, and others are solely appalled by the short selling tactic itself. In the latter category sits security researcher Kenn White, who called the moved little more than “pure naked greed”:

Not too surprisingly, St. Jude was quick to issue a statement claiming MedSEC used “flawed test methodology on outdated software,” demonstrating “lack of understanding of medical device technology.”:

“We have examined the allegations made by Capital and MedSec on August 25, 2016 regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading. Our top priority is to reassure our patients, caregivers and physicians that our devices are secure and to ensure ongoing access to the proven clinical benefits of remote monitoring. St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions.”

MedSec says it found two 0 day exploits opening pacemakers to attack, either by draining the battery or crashing the device software (both require being relatively close to the target). But the group also found that the company’s pacemakers often use no encryption nor authentication over wireless, and the devices all use the same password to connect to the St Jude network, opening the door to a reverse engineering hack on the network at large. MedSec and Muddy Waters continue to insist the company’s history indicates it would not have fixed the vulnerabilities in a timely fashion using traditional reporting methods and bounties.

Regardless of which side you believe is being more or less self-serving, punishing companies for their security incompetence using the only language they truly understand adds a massive and interesting new wrinkle in the never-ending debate over hacking ethics, and the over-arching quest to bring some accountability to companies still treating life-protecting security like an annoying afterthought.

Filed Under: , , , ,
Companies: medsec, muddy waters, st. jude medical

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Security Startup MedSec Shorts St. Jude Medical Stock To Punish It For Flimsy Pacemaker Security”

Subscribe: RSS Leave a comment
40 Comments
Anonymous Coward says:

“Pure naked greed” But, is it, really? It’s probably the only action preventing St. Jude Medical from using the go-to option for most companies exposed for their abhorrent security practices: a court case. If they do decide to go the nuclear option, I’m quite sure this money will be used to mount a legal defense. Some say greed, I say planning for success.

Tim R says:

Parallels

The only thing that bothers me here is that we’re seeing basically the same thing that happened with Gawker: somebody with deep pockets trying to run another company down. In Gawker’s case, it was litigating out of existence. In St. Jude’s, it’s driving the stock price down. Now, the argument can be made that motivations were different, that MedSEC is maybe a shred more altruistic than Theil, and that this isn’t anywhere near likely to put St. Jude out of business (not directly, anyway), but it’s still an interesting thought exercise.

Just throwing that out there.

Doug says:

Re: Parallels

I don’t think this is the same at all. No one is using their money to run down St. Jude’s. They are using information about St. Jude’s behavior. And they aren’t directly costing St. Jude money. St. Jude doesn’t have to directly spend money in response to this.

Their stock price may go down, and that can be viewed as a loss, but it’s only a loss on paper in the near term. St. Jude could prevent any loss in stock price by behaving better. Even if their stock price fell to zero, they could still continue as a business in theory. For example, if their customers didn’t walk away.

Anonymous Coward says:

Re: Parallels

Technically, the share prices can fall to zero, or even go negative without putting the company out of business. After all the company has the money from the original sale, and the value of the shares is what other people value them out.
Share price however can impact the board as the share holders can decide to replace some or all of its members..

Anonymous Coward says:

MedSec and Muddy Waters should be applauded for engaging in this scheme. St Jude was warned about the security vulnerabilities and they did nothing about it. By punishing companies and entities that have security vulnerabilities is the only way that they will learn and fix their security holes before someone without ethics or morals comes along and creates serious problems for those companies and entities.

It’s like these idiots who discover security holes in a company’s website. Every time someone alerts them to a security issue, they are charged with hacking that company’s website. If anyone had any brains, they would release those security holes on the internet and then sit back and wait for those companies to fix their security issues.

JonK (profile) says:

Re: Applauding Scheme

After 45+ years of working in/with Federal Government Agencies (FGA) & large corporations (Corps), I have to agree that both have neither morals or ethics, nor do the people running these organizations think that they should, and worse yet to me, neither does the judiciary that judge their actions. Both FGA and Corps state that the only thing that’s important is giving a good return to those that support them. For FGA it is the President, his/her advisers, and Congress. For Corps it is cash to the stockholders. So, punishing either by reducing available cash or stock price, is more likely to work than appealing to their non-existent morals or ethics.

on the 2nd point, broadcasting a security vulnerability seems both immoral & unethical to me. I think that a more comfortable path (for my own morals & ethics at least) would be to follow a traditional path of releasing the security holes to one of the government agencies (e.g. https://www.us-cert.gov/) or commercial groups (e.g. https://www.cve.mitre.org/ that supports such reporting.

Anonymous Coward says:

Re: Question from ignorance

Nope.
Insider trading involves people INSIDE the company using not publicly available information to profit. For example, an earnings report, or merger.

In this case, people outside the company, used publicly available information to deduce a security flaw. anyone could have done the same thing.

Anonymous Coward says:

Re: Question from ignorance

IANAL, but i believe insider trading only exists when you are trading on confidential insider information. Assuming the actors here went out and purchased the devices like anyone else can, there research is derived from publicly available information and there is nothing confidential involved, particularly as they are not “insiders” to St Jude’s. Perhaps someone will try and throw CFAA/DMCA at them somehow, but the trading likely is legal (if not entirely ethical/moral).

Anonymous Coward says:

Re: Question from ignorance

It’s normal for people to analyze a company by looking at public information, and then make decisions like buying/selling/shorting based on their private analysis. There’s some interesting novelty in this case, but I don’t think it’s really that different—they’re asking “is the company’s software as secure as they claim?”, where traditionally people have asked “are their finances as secure as they claim?”. There’s generally no duty to publish research you performed when making decisions about a public company (things could be different if you’re an insider, or got information from an insider, or hold a significant or controlling interest—but the software is publically available and implanted in members of the general public).

Releasing information for the purposes of manipulating a stock could be illegal, but I think the information would have to be false or misleading. Buying/selling/shorting purely to manipulate the price could be illegal too, but I don’t think that’s what happened. Probably, they analyzed the software and thought other investors have been buying without fully understanding the company. It’s basically “value investing“.

TruthHurts (profile) says:

Re: Question from ignorance

If the 2 entities involved “schemed” to undercut the price of the stocks to make money off of the deal, it would still be stock fraud, and is very akin to insider trading as “details” unknown to even the “company” were shared with “investors” before leaking a “story” intentionally desined to tank the stock allowing for a short sell.

I hope to see MedSec’s officers behind bars.

Anonymous Coward says:

Re: Re: Question from ignorance

I hope to see MedSec’s officers behind bars.

You might, but if they are this savvy, I doubt they will blow their earnings on binge drinking at local bars. You might see them buying everybody a round at the bar, though. Courtesy of St. Jude’s terrible security practices, of course. 🙂

Anonymous Coward says:

It’s not insider trading. It’s called a “short sale”. This happens when a short seller borrows the shares and sells them, expecting they will be cheaper to buy back in the future. The owner is not notified the shares are loaned to the short seller, but this action does not impede the owner from selling at any time.

This happens all the time. You are essentially gambling on the fact that the stock will drop in price and that’s where you profit from the short sell.

IN this scheme, you don’t actually own the stock you’re short selling and you’re betting that you’ll be able to buy back the stock at a lower price when the stock drops.

Instead of buy low and sell high, you’re doing this in reverse. But, there is risk if the owner of the stock finds out what you’re doing and sells the stock before you can ‘short sell’.

Anonymous Coward says:

Just a question

What has short selling to do with the company losing money? Wouldn’t the result be the same even without short selling?
I’m under the impression that the flaws made the stock go down and not the shortselling. If this is the case the shortselling part is only to get money (or be paid if you prefere) for the discovery of the flwas.

Anonymous Coward says:

Re: Just a question

What has short selling to do with the company losing money?

Technically, nothing. A company is not directly affected by their stock price, unless they happen to own shares of their own stock. But realistically, they may want to create and sell new shares in the future, and a lower stock price means they’ll get less money. (Conversely, if they believe the security claims are overblown, they can make a public statement to that effect—so that there won’t be “insider information”—and then offer to buy back shares at the new, lower, price. And sell them again when go back to the “proper” price.)

Anonymous Coward says:

Re: Just a question

If the company intended to sell more shares later, or to use employee stock options to reward its employees, then driving down its share price interferes with those goals.

It is common in some industries that high level executives (most of whom are not actually valuable employees) and valuable employees (most of whom are not actually high level executives) are given an option to purchase company shares at $N, with the expectation that the option is exercised when the fair market value of the shares is $(N + M) for M greater than 0. Such an exercise is profitable for the employee, particularly if they can meet certain tax requirements to reduce the taxes owed on the exercise. If this short sell causes the fair market value to be less than $N, then M is less than zero and the employees are better off buying the shares on the open market (or not at all) than they are exercising the option. At that point, having the option is no longer a reward because it cannot be turned into profit. This can be particularly painful for executives who expected to receive 6-figure or 7-figure profits based on (number of shares) * M, who now find themselves unable to receive any of that profit. Even worse, if they had exercised the option (which cost them $N per share) but not sold it yet (for tax reasons), they are now looking at an unrealized loss of $(N – FMV) for tax purposes.

In sum, driving down the share price hurts the company by hurting people it tried to reward with stock grants, who will now be unhappy that their grants are worthless or a money sink. With luck, they will vent their unhappiness toward the company for putting itself into the position that the short-sellers were so effective.

Richard M (profile) says:

My First Thought: The Runaway Jury

Reminds me of the Grisham novel The Runaway Jury.

I personally do not see the problem as long as the info on the security problems is correct. We have been seeing a lot of companies just sweep these issues under the rug and not spending the time and money to fix them. Hitting the shareholders in the pocket may be the only way to get them to act.

The only problem I see is if people start using fake security problems to try and drive down stock prices and make money off of it.

That One Guy (profile) says:

When in a conversation, use a language the other side understands

Given how incredibly hostile and/or dismissive the response tends to be to those that report security vulnerabilities, I find it hard to disagree with their actions here.

They could have reported the problem privately, in which case the two most likely responses would be to ignore it and pretend that nothing had been said, or a lawsuit for hacking of some sort, neither of which would do anything as far as fixing the problems found. By instead hitting them where they can’t ignore it, their wallets, St. Jude has a very real motivation to fix the problem rather than ignoring it and pretending it doesn’t exist.

Somewhat iffy on the idea of security researchers making money off of reporting vulnerabilities like this, but with so many companies ignoring anything that does’t impact their profits something like this does seem like it would be the quickest way to get a company to actually pay attention, so really, the blame rests on the companies for forcing it.

Anonymous Coward says:

Re: When in a conversation, use a language the other side understands

Somewhat iffy on the idea of security researchers making money off of reporting vulnerabilities like this

Agreed, but a thorough review does take quite a bit of effort, and this is the most creative idea I’ve seen for how to fund such efforts. Maybe the FDA should be checking security, but they’re basically not. St. Jude certainly should be, and obviously they’re not. It’s not practical for patients to fund things like this. Maybe universities could.

This might be the beginning of a new form of financial analysis. Much like people look over the public financial records—and then buy or sell stocks or make recommendations—they might analyze whatever other data is available: software (security and general quality), hardware quality (e.g. predicting a company will lose money due to shoddy hardware being returned), social media (detect a mass exodus via Linkedin to predict company troubles that haven’t been made public)… I never expected that security researchers would be primarily employed by financial investment firms, but it could happen.

Anonymous Coward says:

> “details” unknown to even the “company” were shared with “investors” before leaking a “story” intentionally desined to tank the stock allowing for a short sell.

When someone analyzes a public company, there’s no requirement that they publish this analysis—even if they invest in the company or share the analysis privately (e.g., financial magazines don’t give data to non-subscribers). Nor do they have to share any data with the company or the SEC. This assumes nobody involved is an insider or majority shareholder.

Did they intend to “tank” (i.e. illegally manipulate) the stock? Or were they just releasing truthful information they discovered, which made them think the stock was overvalued? I think there would be serious first-amendment concerns if it’s the latter, and malicious intent could be difficult to prove here.

Chuck says:

I am not a stock broker, but...

According to other comments here, if you short a stock, then release this news, then any rational stockholder is going to sell their stock. Not short sell, but really sell.

So, in other words, wouldn’t this end up COSTING MedSec money if it has the actual impact they want it to have? That is, after MedSec short sells, then the actual shareholder sells the actual stock, now MedSec is left holding the bag, no?

Doesn’t sound very greedy to me. It’s borderline alturistic.

Security_Geek (profile) says:

Re: I am not a stock broker, but...

MedSec sold short meaning they sold stock they don’t own by borrowing it from others. They promise to repurchase it later so need the stock price to fall. The amount of the fall is their profit.

MedSec is a sitting Pennsylvania legislator and a former U.S. Congressman. I am not surprised by the lack of ethical behavior. In the CEO’s blog, she didn’t even mention attempting to work with St. Jude Medical. She predicted their behavior. She also didn’t go to the FDA who regulates medical device security.

Whatever (profile) says:

Trading a stock in any manner with inside information is right on the edge of legality all the time. Knowing a problem exists and taking stock position that would benefit from it’s disclosure would appear to be a perfect example.

It certainly makes the MedSec look like scumbags profiting from the failings of others, rather than just reporting things as they find them. Making the report to the FDA without taking a stock position would be the moral thing to do.

Then again, as is often said around here, morals are not the issue.

The Unknown commenter says:

Federal HHS and HIPAA

I saw no mention of these federal groups, but it seems to me that someone, somewhere put a group of patients that received these devices in grave danger.

HHS drops some pretty big fines… all St Jude has to do is prove that MedSec had accessed a patient list at some time… How would MedSec prove that they did not divulge? I think MedSec(as individuals) is just as guilty as St Jude for a HIPAA violation.

In addition, didn’t MedSec sign some type of disclosure agreement? How about a contract violation, at the least?

Ethically, MedSec could have just asked for a release of responsibility for the lack of corrective action… which they were not/could not be responsible for enforcing corrective action in the first place. HIPAA wants all this kind of thing reported. if they were worried, that was the way to go.

Making money on it, then trying to paint yourself as having a conscience, looks pretty awkward.

I don’t think that this was a well thought out action.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...