In an arrangement that has raised both eyebrows and ethical disclosure questions among security pros, when cybersecurity firm MedSec detected a flaw in a medical device from St. Jude Medical, it eschewed seeking a bug bounty from the manufacturer for the find and instead partnered with an investment firm to capitalize on its knowledge and short sell stock in the device manufacturer.
They won big on Thursday when the stock of the pacemaker manufacturer dropped sharply after their report broke that the implanted heart devices could be susceptible to cyberattacks, according to a Reuters story.
Although St. Jude is claiming the allegations are false, its stock fell nearly 5 percent. Exacerbating the financial impact is the fact that St. Jude agreed in April to sell itself to Abbott Laboratories for $25 billion. The deal is expected to wrap by the end of the year, but the information about the device vulnerabilities, or the drop in the company's stock price, could put the merger in peril. Yesterday's market action renders St. Jude's stock price at a 7.4 percent discount to Abbott's takeover bid.
Hackers working at MedSec, an 18-month-old cybersecurity research firm focused on the healthcare industry and based in Miami, claimed they detected a security flaw in pacemakers and defibrillators manufactured by St. Jude Medical that could open the devices up to cyberintrusion, thus rendering them life-threatening. Instead of taking that information to St. Jude, they contacted Carson Block, the head of the investment firm Muddy Waters Research, to make a proposal that resulted in Block hiring MedSec as consultants three months ago.
Under the terms of the deal, MedSec would receive a licensing fee for its vulnerability research and earn a percentage of any profits from the investment, Block told Reuters.
MedSec contended that the heart devices produced by St. Jude's were vulnerable to cyberattack and put patients at risk. Specifically, the firm said it detected two hacks: One that could increase rates in the implanted devices and another that could drain the batteries.
The threat of hacks into medical devices - and pacemakers in particular - has long been feared. Three years ago, former Vice President Dick Cheney revealed on 60 Minutes that the wireless functionality of his heart implant had been disabled owing to concerns that hackers could assassinate him via a cyberattack into the device. And for several years running, a team of white hat hackers have demonstrated their ability to remotely enter into the computer networks of automobiles to alter settings that might interfere with the driving mechanisms.
St. Jude took issue with the findings. In a statement, Philip Ebeling, chief technology officer (CTO) at the manufacturer, said the devices contained several layers of security, security assessments are carried out on a regular basis and that external experts are enlisted to assess the devices being questioned.
And while Justine Bone, CEO at MedSec, told Reuters that her firm's partnership with the investment firm was "a business relationship...but our goal here is to bring this to the attention of the public," many security pros found the alleged security flaw as well as the deal between MedSec and Muddy Waters to be troubling.
“Innovation in medical devices is clearly driving the market, but at the same time, as indicated by this alleged incident, we are now facing an increasing number of threat vectors," Sam Rehman, CTO of Arxan Technologies, told SCMagazine on Friday via email. "This incident, for example, was conducted by reverse-engineering a publicly available custom device, which communicates on one end with the defibrillator and on the other end out to a network."
All three points – the wireless protocol, the device itself and the outbound protocol – are highly sensitive and could present multiple entry points for attackers to, at the very minimum, steal sensitive information, or potentially modify settings as well, Rehman explained. "It's clear that the first step is to harden and protect the device first and foremost, and secure the two protocols and all the keys involved.”
"I think all parties – investors, companies and the SEC – will want to take a closer look at existing investor disclosure policies to evaluate whether the current approach is effective," Jacob Olcott, vice president of business development at BitSight, told SCMagazine via email on Friday. "In recent years, investors have expressed an interest in consuming data on cybersecurity, but have had difficulty accessing that information."
This incident, Olcott explained, suggests there's a more granular level of cybersecurity information that some investors are interested in, namely cybersecurity in medical devices. "It's unclear whether existing disclosure guidance clearly addresses the issue today."
"The overblown and misleading disclosure of this 'research' was structured purely to maximize opportunistic financial gains," Alex Rice, co-founder and CTO at HackerOne, told SCMagazine via email on Friday. "I'd hope the SEC investigates this dangerous behavior as classic short and distort securities fraud. The disclosure of vulnerabilities in any technology should place the safeguard of consumers first, not blatant personal greed."
Katie Moussouris, a bug bounty expert and the founder and CEO of Luta Security, a new security start-up company, also questions the precedence being set. This is a classic 'responsible' disclosure debate inside of a safety debate enclosed in a quality debate, wrapped with a dollar bill around it for flavor. Who is responsible? The researchers who make the public aware of the security and safety risk, or the manufacturers who have created the vulnerable products?"
In the past, researchers who reported security issues to vendors would find the vulnerabilities for free, and risk their freedom from prosecution in order to help inform the public of their risk, she explained to SCMagazine.com in an email on Sunday. "Those vendors could either accept the free research and try to improve their security for their customers, or wait for an attack before taking the threat seriously."
The growing market for security vulnerabilities and exploits is still developing, Moussouris points out. "Reasonable people will disagree as to which incentives, on both the researcher and the vendor side, that minimize risk and improve safety."
Other experts saw the news in a different light. Casey Ellis, CEO and founder Bugcrowd, told SCMagazine on Friday via email that the action is unprecedented in terms of the public nature of how it has been discussed. "Has it happened before? Probably. Weev proposed exactly this model under Tro LLC a few years back. It's not a new idea."
[editor's note: Andrew Auernheimer, aka Weev, is an American hacker who set out to form a hedge firm, Tro LLC, which would give software exploit developers the chance to sell their flaws: "I want to continue bringing issues in companies that put you at risk to light, and short the stocks of those companies when I do so," he wrote in a funding letter.]
But, Ellis said, it's useful in that "these safety critical vulnerabilities will more than likely get fixed, and the medical device industry is on notice about reviewing and ensuring the cybersafety of those who depend on it."
It's also concerning, he added, that the relationship between security researchers and vendors is experiencing a transition from fear to cooperation. "This is, by the very nature of the short, a combative action, the signals of which could set that back. Hopefully that doesn't happen."