Menu
Stock-tanking in St. Jude Medical security disclosure might have legs

Stock-tanking in St. Jude Medical security disclosure might have legs

Security firm MedSec and St. Jude Medical are in legal battle over suspected flaws in medical devices

For better or worse, a security firm’s attempt to cash in on software bugs -- by shorting a company’s stock and then publicizing the flaws -- might have pioneered a new approach to vulnerability disclosure.

Last August, security company MedSec revealed it had found flaws in pacemakers and other healthcare products from St. Jude Medical, potentially putting patients at risk.

However, the controversy came over how MedSec sought to cash in on those bugs: it did so, by partnering with an investment firm to bet against St. Jude’s stock. Since then, the two parties have been locked in a legal battle over the suspected vulnerabilities. But on Monday, MedSec claimed some vindication.

St. Jude Medical – now owned by Abbott Laboratories – has released a new security update that addresses part of the problems.

The patch fixes a flaw that, if exploited, could have drained the battery to a pacemaker or caused it to malfunction, the U.S. Food and Drug Administration explained in a notice released on the same day.

St. Jude Medical downplayed the severity of the bug, calling it an “extremely low” security risk. The FDA also said “there have been no reports of patient harm” related to the vulnerability.

Nevertheless, MedSec said its approach forced St. Jude Medical to take action, the company’s CEO Justine Bone said in a statement.

It’s unclear how much money MedSec made from the effort. But the case is probably the first time someone ever tried to receive compensation for discovering a vulnerability by shorting a stock, said Nick Selby, a cybersecurity expert and CEO of Secure Ideas Response Team.   

He expects MedSec won’t be the last to take this approach. “I think they have blazed a trail,” he said. For too long, vendors have been able to stonewall security researchers about software bugs, he said.

Ideally, security researchers work with a vendor behind the scenes to patch security flaws. But in this case, MedSec decided to publicly call out St. Jude Medical, claiming the company has a history of ignoring past security issues.  

Selby defended MedSec’s methods and warned that St. Jude Medical hasn't fixed all the vulnerabilities. He was part of the team from IT consulting firm Bishop Fox that verified the findings.

“We independently confirmed the vulnerabilities, but still they (St. Jude Medical) denied and denied,” Selby said. “Now it turns out they were working on a patch, so what does that tell you?”

MedSec also claims that it was careful with the vulnerability disclosure, and never publicized the exact details behind the bugs, preventing hackers from readily exploiting them.

But others disagree with MedSec’s methods. “It’s not surprising there are flaws in medical devices,” said Josh Corman, who is the co-founder of I Am The Cavalry, a security advocacy group. “My issue was that patient safety wasn’t front and center.”

He’s been working with U.S. regulators and security experts to better protect electronic products. However, MedSec’s approach to vulnerability disclosure has been too combative, he said.

“The lawyers got involved, and then there was lack of trust,” he said. “It took five months to fix this problem.”

For security researchers who face resistance from vendors, Corman suggests they work with U.S. regulators such as the FDA to patch the vulnerabilities. He noted that new guidelines set by the FDA last month call for vendors of medical devices to mitigate the flaws 30 to 60 days after learning about them.

However, Corman also expects others to follow in MedSec’s footsteps. He’s already received phone calls from hedge funds interested in shorting companies over their products' security vulnerabilities

“Every single hedge fund has reached out to me,” he said.  


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

Reseller News Innovation Awards 2018: meet the top performing partners

Reseller News Innovation Awards 2018: meet the top performing partners

Reseller News honoured the industry’s finest on a standout evening for the New Zealand channel, recognising the achievements of established partners, emerging players and innovative start-ups, in front of over 460 technology leaders in Auckland.

Reseller News Innovation Awards 2018: meet the top performing partners
Champagne Reception kicks off Reseller News Innovation Awards 2018

Champagne Reception kicks off Reseller News Innovation Awards 2018

More than 460 channel leaders came together to toast the top performers of the New Zealand industry, during the opening Champagne Reception at the Reseller News Innovation Awards 2018 - in association with Techbuyer.

Champagne Reception kicks off Reseller News Innovation Awards 2018
Chasing innovation: how Kiwi partners can create a new customer agenda

Chasing innovation: how Kiwi partners can create a new customer agenda

This exclusive Reseller News Roundtable - in association with Rhipe and Microsoft - detailed a blueprint for customer success, outlining the new role of the modern-day partner and wider network in New Zealand.

Chasing innovation: how Kiwi partners can create a new customer agenda
Show Comments