For better or worse, a security firm’s attempt to cash in on software bugs -- by shorting a company’s stock and then publicizing the flaws -- might have pioneered a new approach to vulnerability disclosure.
Last August, security company MedSec revealed it had found flaws in pacemakers and other healthcare products from St. Jude Medical, potentially putting patients at risk.
However, the controversy came over how MedSec sought to cash in on those bugs: it did so, by partnering with an investment firm to bet against St. Jude’s stock. Since then, the two parties have been locked in a legal battle over the suspected vulnerabilities. But on Monday, MedSec claimed some vindication.
St. Jude Medical – now owned by Abbott Laboratories – has released a new security update that addresses part of the problems.
The patch fixes a flaw that, if exploited, could have drained the battery to a pacemaker or caused it to malfunction, the U.S. Food and Drug Administration explained in a notice released on the same day.
St. Jude Medical downplayed the severity of the bug, calling it an “extremely low” security risk. The FDA also said “there have been no reports of patient harm” related to the vulnerability.
Nevertheless, MedSec said its approach forced St. Jude Medical to take action, the company’s CEO Justine Bone said in a statement.
It’s unclear how much money MedSec made from the effort. But the case is probably the first time someone ever tried to receive compensation for discovering a vulnerability by shorting a stock, said Nick Selby, a cybersecurity expert and CEO of Secure Ideas Response Team.
He expects MedSec won’t be the last to take this approach. “I think they have blazed a trail,” he said. For too long, vendors have been able to stonewall security researchers about software bugs, he said.
Ideally, security researchers work with a vendor behind the scenes to patch security flaws. But in this case, MedSec decided to publicly call out St. Jude Medical, claiming the company has a history of ignoring past security issues.
Selby defended MedSec’s methods and warned that St. Jude Medical hasn't fixed all the vulnerabilities. He was part of the team from IT consulting firm Bishop Fox that verified the findings.
“We independently confirmed the vulnerabilities, but still they (St. Jude Medical) denied and denied,” Selby said. “Now it turns out they were working on a patch, so what does that tell you?”
MedSec also claims that it was careful with the vulnerability disclosure, and never publicized the exact details behind the bugs, preventing hackers from readily exploiting them.
But others disagree with MedSec’s methods. “It’s not surprising there are flaws in medical devices,” said Josh Corman, who is the co-founder of I Am The Cavalry, a security advocacy group. “My issue was that patient safety wasn’t front and center.”
He’s been working with U.S. regulators and security experts to better protect electronic products. However, MedSec’s approach to vulnerability disclosure has been too combative, he said.
“The lawyers got involved, and then there was lack of trust,” he said. “It took five months to fix this problem.”
For security researchers who face resistance from vendors, Corman suggests they work with U.S. regulators such as the FDA to patch the vulnerabilities. He noted that new guidelines set by the FDA last month call for vendors of medical devices to mitigate the flaws 30 to 60 days after learning about them.
However, Corman also expects others to follow in MedSec’s footsteps. He’s already received phone calls from hedge funds interested in shorting companies over their products' security vulnerabilities
“Every single hedge fund has reached out to me,” he said.