Carson Block's Attack on St. Jude Reveals a New Front in Hacking for Profitby and
MedSec found cybersecurity vulnerabilities in pacemakers
The firm’s strategy is a "watershed moment" for disclosure
When a team of hackers discovered that St. Jude Medical Inc.’s pacemakers and defibrillators had security vulnerabilities that could put lives at risk, they didn’t warn St. Jude. Instead, the hackers, who work for cybersecurity startup MedSec, e-mailed Carson Block, who runs the Muddy Waters Capital LLC investment firm, in May. They had a money-making proposal.
MedSec suggested an unprecedented partnership: The hackers would provide data proving the medical devices were life-threatening, with Block taking a short position against St. Jude. The hackers’ fee for the information increases as the price of St. Jude’s shares fall, meaning both Muddy Waters and MedSec stand to profit. If the bet doesn’t work, and the shares don’t fall, MedSec could lose money, taking into account their upfront costs, including research. St. Jude’s shares declined 4.4 percent to $77.50 at 1:40 p.m. in New York with more than 25 million shares traded.
In April, Abbott Laboratories announced a $25 billion acquisition of St. Jude, and the deal is expected to close by the end of the year. The information about the device vulnerabilities could put it in peril.
MedSec said it found security failures including a lack of encryption and the ability for unauthorized devices to communicate with the pacemakers and defibrillators, which, MedSec claims, could allow anyone to tap into implanted devices and cause potentially fatal disruptions. As scary as it sounds, hacking risks to medical devices have been publicized for nearly a decade and the risk to patient safety is still mostly theoretical to hundreds of thousands of people with St. Jude devices. But cybercriminals have started compromising radiology equipment, blood gas analyzers and other machines inside hospitals and nursing homes to steal data for identity theft.
"St. Jude Medical takes the security of devices and their data very seriously," Candace Steele Flippin, St. Jude’s vice president of external communications, said in a statement. "Protection of confidential patient and consumer information is a high priority for us, and we will remain vigilant to the ever-increasing sophistication of those seeking unlawful access to such data. St. Jude Medical has an ongoing program to perform security testing on our medical devices and networked equipment."
Bringing this kind of information to an investment firm is highly unorthodox. For the last 20 years, professional cybersecurity researchers have used one of two well-worn methods to monetize bugs they find. The first is disclosing them to companies for free, or taking a small payment in the form of a "bug bounty." The bugs get fixed and companies credit the researchers publicly, which creates opportunities for conference talks that lead to jobs. But many companies don’t cooperate.
The second way is to sell the information into the gray market of government agencies and cyber-weapons dealers, where good attack code can fetch hundreds of thousands of dollars. How they’re used is out of the researchers’ control.
MedSec is taking a path that some frustrated security experts believe is the only way to create fundamental change: find a way to impose significant monetary penalties on companies it believes are negligent when it comes to protecting consumers. But the startup is doing so in ways that violate some of the most basic standards of ethical security research and in an industry where the stakes are especially high.
The fundamental precept of that approach is to give the makers of digital devices and software a chance to fix flaws before cybercriminals and hackers employed by nation states can do damage with the new knowledge. MedSec Chief Executive Officer Justine Bone said St. Jude’s past record of ignoring warnings and the chance it could sue MedSec to keep it quiet precluded that approach. MedSec and Muddy Waters cited a 2014 Homeland Security investigation into St. Jude and other device makers’ cybersecurity, reported by Reuters, as a warning that could have been heeded.
"We were worried that they would sweep this under the rug or we would find ourselves in some sort of a hush litigation situation where patients were unaware of the risks they were facing," said Bone, an experienced security researcher and the former head of risk management for Bloomberg LP, the parent of Bloomberg News. "We partnered with Muddy Waters because they have a great history of holding large corporations accountable."
"As far as we can tell, St. Jude Medical has done absolutely nothing to even meet minimum cybersecurity standards, in comparison to the other manufacturers we looked at that have made efforts," Bone said. There are steps St. Jude can take relatively quickly to protect patients, including changing the programming of implanted pacemakers and defibrillators through a method that would involve a doctor’s visit, she said.
The fact that it took months of research for her team to identify and exploit the technology’s precise flaws should allow enough time for that to happen. "We see no evidence of an immediate threat," Bone said.
MedSec was founded in 2015 by Robert Bryan, a former portfolio manager at Metaval Capital LLC whose career also included stints at Cyrus Capital and Goldman Sachs. The Miami-based company advertises an array of services, from penetration tests against health-care companies’ corporate networks to secure software development for medical devices. Bone said that partnering with a short seller may be a one-time event.
Conducting expensive research on medical devices has never been a lucrative pursuit. Bugs can’t be sold to anti-virus companies and device makers typically don’t employ large security staffs or hire high-paid consultants the way banks do. With the Muddy Waters deal, MedSec has created a path to a potentially large payday that circumvents those hurdles.
The hacking world has made other moves toward what some critics have viewed as risky disclosures in areas that involve physical safety. Last year two well-known researchers manipulated critical systems on a Jeep Cherokee with a journalist behind the wheel, causing it to stop in traffic and triggering a recall of 1.4 million vehicles. But the combination of a potential lethal vulnerability in medical technology with a bet on the device maker’s stock is an unprecedented event, one likely to raise tricky questions for judges and federal regulatory agencies, said Jacob Olcott, a vice president at BitSight Technologies, a Boston-based cybersecurity ratings firm.
"This represents a watershed moment for cybersecurity disclosure and public markets and it raises fundamental issues that the SEC is going to have to spend more time and effort addressing," Olcott said. "But it’s pretty clear if security researchers think they have to work with a short seller to address the security posture of a major company, something is wrong."
Block has a small window of time for his bet to pay off. He said in an interview with Bloomberg Television that in addition to the short trade against St. Jude he is also long Abbott Laboratories, a hedge if his thesis doesn’t play out as expected.
MedSec and Muddy Waters said they are withholding key details of the vulnerabilities from the public but are alerting the U.S. Food and Drug Administration, which regulates medical devices, about the flaws. Bone said she is prepared for MedSec’s decision to generate criticism but argued that the old models of trying to pressure companies to make fixes don’t always work. "It’s time for some drastic action," she said.