Uncoordinated Vulnerability Disclosure Causing Heart Palpitations For St. Jude Medical Shareholders
August 26, 2016 • RBS
Risk Based Security has been deep in the weeds of the vulnerability research and disclosure debates for many years. For many that have thought they have seen and heard it all before – from the pros and cons of bug bounty programs to the delicate balancing act of the disclosure process. Or even researchers who have even felt the pain of having serious findings brushed aside and ignored like an unwelcome guest at a party. Today’s actions by MedSec and Muddy Waters takes the vulnerability disclosure debate to an entirely new realm for many that have not previously considered.
Muddy Waters, a firm that publishes investment research announced it was shorting the stock of St. Jude Medical(NYSE:STJ) on the basis of security flaws found in their pacemakers and the suite of products that support these implanted devices. The vulnerabilities were discovered by researchers at MedSec, a software security and vulnerability research firm specializing in medical devices and healthcare applications. Muddy Waters is asserting in their research report that the vulnerabilities are so significant, these devices must be withdrawn from the market and have called for an immediate recall of the products. According to the research report, St Jude’s cardiac device eco system accounts for 46% of St Jude’s revenue, or approximately $2.5 billion. A major recall or even a significant slowing in sales could hurt St Jude’s stock price and potentially derail the proposed buyout of St Jude by Abbott.
In essence, Muddy Waters Capital is using research into undisclosed security vulnerabilities as leverage for lowering the stock price of St. Jude Medical. If it works, Muddy Waters – and MedSec – could make a substantial profit. So far, the strategy appears to be paying off. St. Jude Medical’s stock dropped nearly 5% on the news the first day, from a high of $81.99 to a closing price of $77.82.
From the Muddy Waters Research report:
“While standard practice in the cybersecurity industry is to notify companies of vulnerabilities before discussing them publicly, MedSec licensed its research to Muddy Waters so that we could bring these issues to light (without revealing detailed vulnerability information).
Muddy Waters has engaged MedSec as consultants in addition to licensing its research on STJ. MedSec is receiving compensation related to investment profits from the funds Muddy Waters manages.”
If you feel like you have heard this before, it is because you have. This isn’t the first time someone has thought of or proposed this concept, using unpublished security information or Zero-day vulnerabilities to impact the market. In fact, in April 2014, well known and convicted “hacker” Andrew “weev” Auernheimer, after being released from prison, talked publicly about the desire to start a hedge fund call TRO LLC.
The basic premise of the fund being based on weev’s own words:
I am founding this fund because I believe the public has a right [to know], and I have a moral obligation to inform the public… And at the end of the day, it actually is more profitable, there’s better money in it… I’d much rather bring [security breaches] to the public’s attention so consumers can make informed decisions.
You can listen to Weev describe it first hand here as he was interviewed about it on CNBC.
He was asked about the “method” being questionable, how he feels about people calling it slimy, and disappointment with the approach. He goes on to explain that there is another firm based in New York called Consumer Bell that has a similar strategy, just with traditional products.
“First we probe the public surface of a company. And second, we take a look and we actually watch hackers — foreign hackers like the Russian Business Network and find out what they’re doing. There’s another company in New York it’s called Consumer Bell…and they do what we do, but for really old boring products — like finding food that has mold in it that makes children sick, when a car company that has a car that hurts people, the stock value droppings or when a software or cloud company has a similar problem, their stock is going to drop, too.”
We never saw TRO LLC launched to our knowledge and his crowd funding efforts appeared to be unsuccessful.
It should also be noted that the company that appeared to have been referenced, Consumer Bell’s had a website that was on Squarespace which is “expired”, and it appears that they posted a goodbye blog on Novemeber, 2013.
St. Jude Vulnerabilities Disclosed
A MedSec report warned of two primary hacks on St. Jude pacemakers and defibrillators. One of the vulnerabilities allegedly could cause implanted devices to pace at potentially dangerous rates and the second drains their batteries, albeit at a fairly slow rate as currently implemented in their exploit, but with promises it could be made considerably faster.
Additional info from the Report about the discovered vulnerabilities:
The [email protected] devices MedSec tested generally only required approximately 10 minutes to get access to the root directory.
There are numerous ways in which the [email protected] devices violate security standards (and defy logic):
No apparent tamper proofing or hardware identity protection. Chip models are clearly displayed, aiding the research process for an attacker.
Unprotected software. While patient data is encrypted, the [email protected] device has entirely unencrypted software. Competing systems use some form of encryption to protect the proprietary applications. Extracting software from the @Home device can be done by identifying the chip, and reading the data off it.
The [email protected]’s Samsung flash memory has been publicly documented to be vulnerable.
Lack of a layered defense. In MedSec’s opinion, the use of off-the-shelf components and the lack of anti-debugging mechanisms made the [email protected] device significantly easier to reverse engineer and locate numerous vulnerabilities. The manufacturer left many developmental items on the devices that should not be present, such scripts that allow debugging and development mode to be turned on. All of the competitors incorporated additional security measures. Some manufacturers required short range authentication (via a wand).
Easy availability of device firmware. MedSec was also able to obtain the @home device’s firmware in three ways:
1 Decapitating the Samsung memory chip,
2 Getting root on the @home device and simply copying the files to the USB port
After the news was release, St. Jude Medical pretty quickly responded and denied the claims made by MedSec and Muddy Waters.
St. Jude’s chief technology officer Phil Ebeling called the claims “absolutely untrue.” He said the medical device maker has “several layers of security measures in place” and conducts regular security assessments.
St. Jude responded by saying it works with external experts to safeguard [email protected] as well as other devices.
Some may instantly think this type of activity is illegal and feel that it is a form of insider trading. But this is not the case as clearly neither MedSec nor Muddy Waters had any inside knowledge from working at the company. However, just as Weev was questioned when he was discussing his business model, the immediate question comes up as is this ethical?
MedSec CEO, Justine Bone was on Bloomberg to discuss the issues and fielded several questions. She was asked almost immediately how she makes money on this situation, but side stepped the initial question. However, after a follow on question from the hosts she revealed that her organization was paid a fee and their compensation is also connected to the investments at Muddy Waters. She further shared that they were working on this research for approximately 18 months, and did clarify that they are not aware of any immediate threats, but it was clear that St. Jude needed to raise the bar and overhaul their technology and security. Next, the hosts asked Bone if what they were doing was ethical. She replied saying:
We recognize that it is untraditional, but given St. Jude’s medicals track history of brushing these security issues to one side, and basically making no changes whatsoever to their technology. Despite having researchers call their attention to issues in the past. Despite the DHS investigation. Despite the FDA requirements that cyber security be prioritized, nothing has changed in St. Jude’s medical technology suite. So we did not feel confident, that the most effective way forward was to approach St Jude medical and again we believe that patients have a right to know about the the risks they are looking at.
In our opinion, we agree that consumers have the right to know about vulnerabilities in the products they use. However, this approach has re-invigorated the decades long full disclosure debate due to the unorthodox method of disclosure, and the clear MedSec motives to make money based on their actions and approach.
There was a lot of conversation on Twitter today about this issue, and Kenn White shares thoughts on this being purely about greed.
Previous Stock Price Research
Risk Based Security has been tracking data breaches for a very long time, and we have frequently seen high-profile breaches unfold over years. After the initial weeks or months of a breach, most news outlets and security companies lose interest. Long-term though, part of the story may eventually includes the investigation, consultants, lawsuits, arrests, prosecutions, stock price fluctuations, and more. Here is some content from our coverage of the Sony picture breach in 2014 about the issue:
As we have seen many times before and discussed previously, the stock of the affected company did not continue to go down. Instead, it actually increased considerably after the breach. This typically happens due to a company being transparent to varying degrees, promising customers that they will improve, and appearing to take responsibility for the breach. The level to which a company does those things may vary greatly.
Note that in our experience, we frequently see stock prices drop as an immediate reaction to such events, but often return to the original value within three months.
Was St Jude’s Targeted?
Security vulnerabilities in medical devices isn’t something that is new, in fact in October 2014, it was reported that the DHS was investigating what was described as 24 potentially deadly cyber flaws in medical devices. And St Jude Medical was in fact part of that investigation.
Sources said DHS is looking into “suspected vulnerabilities in implantable heart devices from Medtronic and St. Jude Medical.” Medtronic told Reuters it has enhanced security of its implantable cardiac devices, but wouldn’t give specifics “in the interest of public safety.” St. Jude Medical claimed it conducts “extensive security testing,” but will issue patches for its medical devices and networked equipment if any flaws are identified.
Even though St Jude Medical was involved with security issues previously, make no mistake that they are not alone in producing medical devices that have had vulnerabilities and the concern with increasingly connected medical devicesraises the stakes.
Chris Wysopal asks the question about Security Debt:
Security debt or technical debt in many cases is something that businesses of all sizes struggle with handling. It can be hard enough just to keep systems up and running, let alone re-architect old systems with new technology and proper security controls.
Andrea Matwyshyn points out that public company SEC reporting should be improved as it relates to security as a material risk which should cover things such as security debt. Currently the reporting requirement, while it is broad is viewed by many organization as only required when a data breach has occurred which may “make an investment in the company speculative or risky.”
Whether you believe the Muddy Waters and MedSec approach is unethical or not, given the state of security and vulnerabilities, especially of medical products, this is an event that can be easily replicated again. That should be of concern to everyone.