Stock-tanking in St. Jude Medical security disclosure might have legs

Security firm MedSec and St. Jude Medical are in legal battle over suspected flaws in medical devices

For better or worse, a security firm’s attempt to cash in on software bugs -- by shorting a company’s stock and then publicizing the flaws -- might have pioneered a new approach to vulnerability disclosure.

Last August, security company MedSec revealed it had found flaws in pacemakers and other healthcare products from St. Jude Medical, potentially putting patients at risk.

However, the controversy came over how MedSec sought to cash in on those bugs: it did so, by partnering with an investment firm to bet against St. Jude’s stock. Since then, the two parties have been locked in a legal battle over the suspected vulnerabilities. But on Monday, MedSec claimed some vindication.

St. Jude Medical – now owned by Abbott Laboratories – has released a new security update that addresses part of the problems.

The patch fixes a flaw that, if exploited, could have drained the battery to a pacemaker or caused it to malfunction, the U.S. Food and Drug Administration explained in a notice released on the same day.

St. Jude Medical downplayed the severity of the bug, calling it an “extremely low” security risk. The FDA also said “there have been no reports of patient harm” related to the vulnerability.

Nevertheless, MedSec said its approach forced St. Jude Medical to take action, the company’s CEO Justine Bone said in a statement.

It’s unclear how much money MedSec made from the effort. But the case is probably the first time someone ever tried to receive compensation for discovering a vulnerability by shorting a stock, said Nick Selby, a cybersecurity expert and CEO of Secure Ideas Response Team.   

He expects MedSec won’t be the last to take this approach. “I think they have blazed a trail,” he said. For too long, vendors have been able to stonewall security researchers about software bugs, he said.

Ideally, security researchers work with a vendor behind the scenes to patch security flaws. But in this case, MedSec decided to publicly call out St. Jude Medical, claiming the company has a history of ignoring past security issues.  

Selby defended MedSec’s methods and warned that St. Jude Medical hasn't fixed all the vulnerabilities. He was part of the team from IT consulting firm Bishop Fox that verified the findings.

“We independently confirmed the vulnerabilities, but still they (St. Jude Medical) denied and denied,” Selby said. “Now it turns out they were working on a patch, so what does that tell you?”

MedSec also claims that it was careful with the vulnerability disclosure, and never publicized the exact details behind the bugs, preventing hackers from readily exploiting them.

But others disagree with MedSec’s methods. “It’s not surprising there are flaws in medical devices,” said Josh Corman, who is the co-founder of I Am The Cavalry, a security advocacy group. “My issue was that patient safety wasn’t front and center.”

He’s been working with U.S. regulators and security experts to better protect electronic products. However, MedSec’s approach to vulnerability disclosure has been too combative, he said.

“The lawyers got involved, and then there was lack of trust,” he said. “It took five months to fix this problem.”

For security researchers who face resistance from vendors, Corman suggests they work with U.S. regulators such as the FDA to patch the vulnerabilities. He noted that new guidelines set by the FDA last month call for vendors of medical devices to mitigate the flaws 30 to 60 days after learning about them.

However, Corman also expects others to follow in MedSec’s footsteps. He’s already received phone calls from hedge funds interested in shorting companies over their products' security vulnerabilities

“Every single hedge fund has reached out to me,” he said.  

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Michael Kan

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?