A kind of batshit insane and unprecedented thing has just happened in the world of ethical hacking.
After finding serious security vulnerabilities in St. Jude Medical’s pacemakers and defibrillators, cybersecurity and research company MedSec decided to take that information to a short-seller (Carson Block of the investment firm Muddy Waters) which then bet against the company in the stock market. This was instead of disclosing the vulnerability, in theory something that could endanger lives, to the manufacturer St. Jude.
MedSec suggested an unprecedented partnership: The hackers would provide data proving the medical devices were life-threatening, with Block taking a short position against St. Jude. The hackers’ fee for the information increases as the price of St. Jude’s shares fall, meaning both Muddy Waters and MedSec stand to profit. If the bet doesn’t work, and the shares don’t fall, MedSec could lose money, taking into account their upfront costs, including research.
St. Jude’s stock closed down nearly 4 percent on Thursday. Abbot Laboratories made a $25 billion bid for St. Jude back in April. Thanks to these vulnerabilities, that deal could be in peril, according to Bloomberg.
MedSec’s CEO Justine Bone says that her company didn’t disclose to St. Jude because it was unconvinced the medical device maker would actually fix the problem. Rather than have the problem ignored (and potentially put patient’s lives at risk), MedSec decided to not just shame St. Jude, but make it pay.
In an entry on the MedSec company blog, Bone wrote:
We acknowledge that our departure from traditional cyber security practices will draw criticism, but we believe this is the only way to spur St Jude Medical into action. Most importantly, we believe that both potential and existing patients have a right to know about their risks. Consumers need to start demanding transparency from these device manufacturers, especially as it applies to the quality and functionality of their products.
Bone was even more explicit with Bloomberg, stating that “as far as we can tell, St. Jude Medical has done absolutely nothing to even meet minimum cybersecurity standards, in comparison to the other manufacturers we looked at that have made efforts.” In a separate video interview, she noted that security vulnerabilities disclosed to St. Jude in 2013 had gone unfixed and still remained open.
Still, MedSec stood to rake in a huge fee as St Jude’s stock dropped.
MedSec could also have gone to CERT, the U.S.’s Computer Emergency Response Team to ensure the vulnerabilities were not ignored, security evangelist Jessy Irwin told me. Irwin said reports to CERT could have resulted in homeland security advisories and major FDA warnings and as a result, the issue with the defibrillators and pacemakers wouldn’t be ignored. CERT also has distinct guidelines for vulnerability disclosure. The industry standard for public disclosure (the amount of time between when a company is made aware of a vulnerability and when that vulnerability is made open to the public) is 90 days but CERT only has a 45 day window.
Irwin says that if MedSec had gone to CERT first, St. Jude would have had only 45 days before the exploits were made public, whether a patch was ready or not.
“What this means is that instead of approaching an investment company, they would be held to the same vulnerability disclosure guidelines as any other research firm,” Irwin explained.
Depending on how this works out for MedSec, this could set a precedent for the way tech firms operate and disclose vulnerabilities. On the one hand, it could convince compromised companies to take vulnerabilities more seriously because real money could be on the line. On the other hand, this could be seen as a way of trying to blackmail exploits, rather than patch them. And that’s a bad thing.
For its part, St. Jude says that everything is fine! Phil Ebeling, St. Jude’s CTO told Bloomberg that the allegations that the manufacturer doesn’t care about security are “absolutely untrue.” “There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin@home and on all our devices,” Ebeling added.
The good news for patients who have a vulnerable St. Jude defibrillator or pacemaker is that it took months of research for MedSec to find the vulnerability. Bone told Bloomberg that she sees “no evidence of an immediate threat.” Muddy Waters and MedSec also say that they are alerting the FDA about the flaws.