US hacking firm teams up with short seller
When a team of hackers discovered that St Jude Medical Inc's
pacemakers and defibrillators had security vulnerabilities that could put lives
at risk, they didn't warn St Jude. Instead, the hackers, who work for
cybersecurity startup MedSec, e-mailed Carson Block, who runs the Muddy Waters
Capital LLC investment firm, in May. They had a money-making proposal.
Comments
Bloomberg
27 August 2016
When a team of hackers discovered that St Jude Medical Inc's pacemakers and defibrillators had security vulnerabilities that could put lives at risk, they didn't warn St Jude. Instead, the hackers, who work for cybersecurity startup MedSec, e-mailed Carson Block, who runs the Muddy Waters Capital LLC investment firm, in May. They had a money-making proposal.
MedSec suggested an unprecedented partnership: The hackers would provide data proving the medical devices were life-threatening, with Mr Block taking a short position against St Jude. The hackers' fee for the information increases as the price of St Jude's shares fall, meaning both Muddy Waters and MedSec stand to profit. If the bet doesn't work, and the shares don't fall, MedSec could lose money, taking into account their upfront costs, including research. St Jude's shares declined 4.4 per cent to US$77.50 at 1.40pm in New York with more than 25 million shares traded.
In April, Abbott Laboratories announced a US$25 billion acquisition of St Jude, and the deal is expected to close by the end of the year. The information about the device vulnerabilities could put it in peril.
MedSec said that it found security failures including a lack of encryption and the ability for unauthorised devices to communicate with the pacemakers and defibrillators, which, MedSec claims, could allow anyone to tap into implanted devices and cause potentially fatal disruptions. As scary as it sounds, hacking risks to medical devices have been publicised for nearly a decade and the risk to patient safety is still mostly theoretical to hundreds of thousands of people with St Jude devices. But cybercriminals have started compromising radiology equipment, blood gas analysers and other machines inside hospitals and nursing homes to steal data for identity theft.
"St Jude Medical takes the security of devices and their data very seriously," said Candace Steele Flippin, St Jude's vice-president of external communications. "Protection of confidential patient and consumer information is a high priority for us, and we will remain vigilant to the ever-increasing sophistication of those seeking unlawful access to such data. St Jude Medical has an ongoing programme to perform security testing on our medical devices and networked equipment."
Bringing this kind of information to an investment firm is highly unorthodox. For the last 20 years, professional cybersecurity researchers have used one of two well-worn methods to monetise bugs they find. The first is disclosing them to companies for free, or taking a small payment in the form of a "bug bounty". The bugs get fixed and companies credit the researchers publicly, which creates opportunities for conference talks that lead to jobs. But many companies don't cooperate.
The second way is to sell the information into the grey market of government agencies and cyber-weapons dealers, where good attack code can fetch hundreds of thousands of dollars. How they're used is out of the researchers' control.
MedSec is taking a path that some frustrated security specialists believe is the only way to create fundamental change: Find a way to impose significant monetary penalties on companies it believes are negligent when it comes to protecting consumers. But the startup is doing so in ways that violate some of the most basic standards of ethical security research and in an industry where the stakes are especially high.
"We were worried that they would sweep this under the rug or we would find ourselves in some sort of a hush litigation situation where patients were unaware of the risks they were facing," said Ms Bone, an experienced security researcher and the former head of risk management for Bloomberg LP, the parent of Bloomberg News. "We partnered with Muddy Waters because they have a great history of holding large corporations accountable.
"As far as we can tell, St Jude Medical has done absolutely nothing to even meet minimum cybersecurity standards, in comparison to the other manufacturers we looked at that have made efforts," Ms Bone said. There are steps St Jude can take relatively quickly to protect patients, including changing the programming of implanted pacemakers and defibrillators through a method that would involve a doctor's visit, she said.
The fact that it took months of research for her team to identify and exploit the technology's precise flaws should allow enough time for that to happen. "We see no evidence of an immediate threat," Ms Bone said.
MedSec was founded in 2015 by Robert Bryan, a former portfolio manager at Metaval Capital LLC whose career also included stints at Cyrus Capital and Goldman Sachs. The Miami-based company advertises an array of services, from penetration tests against healthcare companies' corporate networks to secure software development for medical devices. Ms Bone said that partnering a short seller may be a one-time event.
Conducting expensive research on medical devices has never been a lucrative pursuit. Bugs can't be sold to anti-virus companies and device makers typically don't employ large security staffs or hire high-paid consultants the way banks do. With the Muddy Waters deal, MedSec has created a path to a potentially large payday that circumvents those hurdles.
The hacking world has made other moves towards what some critics have viewed as risky disclosures in areas that involve physical safety. Last year, two well-known researchers manipulated critical systems on a Jeep Cherokee with a journalist behind the wheel, causing it to stop in traffic and triggering a recall of 1.4 million vehicles. But the combination of a potential lethal vulnerability in medical technology with a bet on the device maker's stock is an unprecedented event, one likely to raise tricky questions for judges and federal regulatory agencies, said Jacob Olcott, a vice-president at BitSight Technologies, a Boston-based cybersecurity ratings firm.
"This represents a watershed moment for cybersecurity disclosure and public markets and it raises fundamental issues that the SEC is going to have to spend more time and effort addressing," Mr Olcott said. "But it's pretty clear if security researchers think they have to work with a short seller to address the security posture of a major company, something is wrong."