Menu
Stock-tanking in St. Jude Medical security disclosure might have legs

Stock-tanking in St. Jude Medical security disclosure might have legs

Security firm MedSec and St. Jude Medical are in legal battle over suspected flaws in medical devices

For better or worse, a security firm’s attempt to cash in on software bugs -- by shorting a company’s stock and then publicizing the flaws -- might have pioneered a new approach to vulnerability disclosure.

Last August, security company MedSec revealed it had found flaws in pacemakers and other healthcare products from St. Jude Medical, potentially putting patients at risk.

However, the controversy came over how MedSec sought to cash in on those bugs: it did so, by partnering with an investment firm to bet against St. Jude’s stock. Since then, the two parties have been locked in a legal battle over the suspected vulnerabilities. But on Monday, MedSec claimed some vindication.

St. Jude Medical – now owned by Abbott Laboratories – has released a new security update that addresses part of the problems.

The patch fixes a flaw that, if exploited, could have drained the battery to a pacemaker or caused it to malfunction, the U.S. Food and Drug Administration explained in a notice released on the same day.

St. Jude Medical downplayed the severity of the bug, calling it an “extremely low” security risk. The FDA also said “there have been no reports of patient harm” related to the vulnerability.

Nevertheless, MedSec said its approach forced St. Jude Medical to take action, the company’s CEO Justine Bone said in a statement.

It’s unclear how much money MedSec made from the effort. But the case is probably the first time someone ever tried to receive compensation for discovering a vulnerability by shorting a stock, said Nick Selby, a cybersecurity expert and CEO of Secure Ideas Response Team.   

He expects MedSec won’t be the last to take this approach. “I think they have blazed a trail,” he said. For too long, vendors have been able to stonewall security researchers about software bugs, he said.

Ideally, security researchers work with a vendor behind the scenes to patch security flaws. But in this case, MedSec decided to publicly call out St. Jude Medical, claiming the company has a history of ignoring past security issues.  

Selby defended MedSec’s methods and warned that St. Jude Medical hasn't fixed all the vulnerabilities. He was part of the team from IT consulting firm Bishop Fox that verified the findings.

“We independently confirmed the vulnerabilities, but still they (St. Jude Medical) denied and denied,” Selby said. “Now it turns out they were working on a patch, so what does that tell you?”

MedSec also claims that it was careful with the vulnerability disclosure, and never publicized the exact details behind the bugs, preventing hackers from readily exploiting them.

But others disagree with MedSec’s methods. “It’s not surprising there are flaws in medical devices,” said Josh Corman, who is the co-founder of I Am The Cavalry, a security advocacy group. “My issue was that patient safety wasn’t front and center.”

He’s been working with U.S. regulators and security experts to better protect electronic products. However, MedSec’s approach to vulnerability disclosure has been too combative, he said.

“The lawyers got involved, and then there was lack of trust,” he said. “It took five months to fix this problem.”

For security researchers who face resistance from vendors, Corman suggests they work with U.S. regulators such as the FDA to patch the vulnerabilities. He noted that new guidelines set by the FDA last month call for vendors of medical devices to mitigate the flaws 30 to 60 days after learning about them.

However, Corman also expects others to follow in MedSec’s footsteps. He’s already received phone calls from hedge funds interested in shorting companies over their products' security vulnerabilities

“Every single hedge fund has reached out to me,” he said.  


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Events

Featured

Slideshows

Channel kicks 2021 into gear as After Hours returns to Auckland

Channel kicks 2021 into gear as After Hours returns to Auckland

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Pantry at Park Hyatt in Auckland to kick-start 2021.

Channel kicks 2021 into gear as After Hours returns to Auckland
The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

The leading female front runners of the New Zealand ICT industry joined together for the annual Reseller News Women in ICT Awards event at the Hilton in Auckland, during which hundreds of guests celebrated 13 outstanding individuals who won awards, chosen from more than 50 finalists representing over 30 organisations.

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards
Show Comments