Vulnerability to cyber threats and hacking of products in the Internet of Things has been a recurring headline throughout 2016. Traditionally, identifying these vulnerabilities has remained the insider trade between manufacturers and private security companies that probe for such soft targets. But a new twist has developed in the relationship between manufacturer and security firm that some are labeling a new form of piracy.
Identifying these shortcomings has been a business for many security firms, however in the case of Medsec advocacy for securing a medical device owned by St. Jude took a turn. Claiming the identified hackables inside the St.Jude devices fell on deaf ears for years, Medsec sought an investment firm with whom to short the stock – essentially betting on a share price drop once the vulnerability was revealed by Medsec. Some claim Medsec went to the investment firm before bringing the issues to St.Jude.
“It may be the first time someone has tried to get compensated for discovering vulnerabilities by shorting a stock,” said Casey Ellis, CEO of Bugcrowd, a bug bounty platform.
“I think this could absolutely put patients in harm’s way,” said Josh Corman, director of the Cyber Statecraft Initiative at the Atlantic Council think tank.
To date, St.Jude claims Medsec’s allegations as untrue and cited multiple examples of flaws in their examination protocol that identifies the issues – Medsec vehemently defends their methods and is proceeding as planned. Nevertheless, St. Jude’s stock price has fallen since the vulnerabilities were made public, by about 5%.
“St. Jude Medical stood out, far and away, as severely deficient when it comes to security protections,” CEO Justine Bone said in a Bloomberg interview.
Medsec contends that St.Jude wasn’t notified because of the company’s history of ignoring security issues despite regulatory actions, however Mdedsec was compensated by Muddy Waters Capital, its partner in the short, paying both a licensing fee and forwarding profits from its investments to Medsec as compensation for the research.
“We felt notifying the company would simply give it a chance to prepare its ‘messaging’ in an effort to sweep this under the rug,” MedSec said in an email.
“Of course, we are looking to recover our costs here,” Bone said in the Bloomberg interview.
Security experts agree this action may have opened a Pandora’s box – “How disclosure happens is critical,” Cyber Statecraft’s Corman said. “If we bring too much attention to these vulnerabilities, adversaries may want to target them……These are flaws in a product that are being put in a human being’s chest,….You would need surgery to remove them.” Corman said.
Although channels exist through U.S. regulators to address these types of security issues, the question remains as to why they were left unattended in this case. Some contend that hospitals could have efficiently notified patients in advance of the disclosures other than finding out in the news. In the meantime patients with vulnerable devices are encouraged to continue using their devices, and await further information from St. Jude or their primary care provider.