Cyber Security

Firm Sued For Cashing In On Medical Security Flaws

If your company discovers a medical device can be hacked, is it wrong to short its stock?

Cyber Security
Photo Illustration: Vocativ
Sep 09, 2016 at 11:18 AM ET

A pacemaker manufacturer is suing two companies that teamed up to find cybersecurity flaws in their product — and then profited when the stock tumbled.

MedSec, a cybersecurity research company that specializes in medical devices, made an unusual choice when it announced it had discovered drastic, potentially fatal vulnerabilities in pacemakers created by St. Jude Medical. It partnered with Muddy Waters, an investment firm whose bread and butter is to find and publish glaring issues with other companies while shorting their stock, investing in the idea that company will likely stumble or fail. MedSec’s findings explicitly called for a major overhaul in St. Jude’s pacemakers, saying many of their devices “might — and in our view, should — be recalled and remediated.”

Discovering and publishing cybersecurity vulnerabilities in Internet of Things devices is a rapidly growing industry. But it’s still rare for a company that finds such vulnerabilities to directly profit at that company’s expense when it finds them, as MedSec apparently has. The company didn’t respond to Vocativ’s inquiry, but when previously pressed on a TV appearance, CEO Justine Bone told Bloomberg that “we are paid on a fee basis and as consultants and our compensation with regards to our arrangement with Muddy Waters is connected to [their] investments.”

St. Jude, which is in the process of being acquired by Abbot Labroatories, did see its stock drop after Muddy Waters and MedSec’s announcement.

In its own statement, St. Jude announced its suit, against both MedSec and Muddy Waters, accused them of “false statements, false advertising, conspiracy and the related manipulation of the public markets.”

Muddy Waters, however, stood by its actions, providing a statement to Vocativ that said, “It is not unusual for a company like this to try to silence its critics and we are always prepared to vigorously defend our right to criticize a company that puts its profits before its patients.”

The case, it would seem, hinges on the integrity of MedSec’s findings. The two biggest, potentially life-threatening flaws, it found, are one that allows access to a personal monitor called [email protected], and another that can allow an attacker to secretly drain a pacemaker’s battery life. Muddy Waters, which is not a cybersecurity firm, declared that the flaws were so severe that “despite having no background in cybersecurity, Muddy Waters has been able to replicate in-house key exploits that help to enable these attacks.”

But other cybersecurity researchers have cast some doubt on MedSec’s findings. As noted cybersecurity researcher and blogger Rob Graham wrote, even though “there’s no reason to doubt that there’s quality research underlying all this,” the actual report “is clearly designed to scare other investors to drop St Jude stock price in the short term so that Muddy Waters can profit.”

A University of Michigan analysis of the report found it lacking. Some of the errors that MedSec found in a St. Jude defibrillator could also be produced, for example, by simply not properly plugging in the device, and the report doesn’t make clear that wasn’t the case.

“We’re not saying the report is false. We’re saying it’s inconclusive because the evidence does not support their conclusions,” Kevin Fu, a UM associate professor of computer science and cofounder of Virta Labs, a medical device startup, said in a university release of their findings. “We were able to generate the reported conditions without there being a security issue.”

If the suit is not settled, it will become a rare case in which a cybersecurity researcher’s findings are scrutinized in court. And considering how often at least minor flaws are a reality in so many devices, even if St. Jude can prove in court that MedSec exaggerated its findings, it would be a major scandal if all of them are bunk.

“Any even remotely security-related changes St. Jude makes to its product will now look like an admission. I’d not want to be a customer,” tweeted renowned computer researcher Matt Blaze. “Worse, claiming the vulnerabilities are false puts St. Jude (and its customers) in the position of being dis-incented [sic] from fixing them.”