For decades, there's been an unofficial truce between cybersecurity researchers and companies: When good guy hackers find a problem, they give companies a chance to fix it before going public.
But a cybersecurity firm called MedSec just upended that truce.
Instead of following industry traditions by alerting St. Jude Medical when researchers found alleged bugs in the company's implantable heart equipment, MedSec struck a deal with a short-seller called Muddy Waters Research. The investment firm would make the vulnerabilities public in exchange for giving the cybersecurity firm a cut of the profits Muddy Waters made from betting against the medical device maker's stock, MedSec chief executive Justine Bone said in an interview. The arrangement was first reported by Bloomberg News.
The deal represents a potentially lucrative new strategy for monetizing cybersecurity research. But some experts question the ethics of the agreement and worry it may lead other hackers to seek profits rather than the security of products.
Bone said the agreement with Muddy Waters is partially a way to recoup the costs from spending a year and a half researching medical-device security. But the decision to go public was also an accountability measure: Her team was alarmed by the problems they found in St. Jude devices and was worried patients wouldn't know about risks lurking inside their own chests, Bone said.
“We felt that if we were to take a traditional course and engage directly with [St. Jude Medical] — as others had done before — it was highly likely or almost certain that we would get hushed up and it would be brushed aside,” she said, citing a 2014 Reuters report about the Department of Homeland Security investigating security flaws in St. Jude’s products.
MedSec demonstrated that some of the medical device maker’s implantable heart equipment has potentially fatal flaws — leaving them vulnerable to attacks that could speed up pacemakers to dangerously fast rates or quickly drain devices' batteries — Muddy Waters alleged in a report released last week. The investment firm said the issues could cause St. Jude to lose roughly half of its revenue for two years.
The medical device maker's stock tumbled 8 percent in the hours after Muddy Waters’ announcement. It also temporarily halted trading Friday. Although trading has since resumed, the company’s value is still recovering during a critical period as it finalizes a deal to be acquired by health giant Abbott.
St. Jude vehemently denied Muddy Waters's allegations, calling them “false and misleading” in a statement on its website, and raised questions about MedSec’s methodology. St. Jude Medical also said it works with “third-party experts, researchers, government agencies and regulators in cybersecurity” to protect its devices and asked those who spot a potential security vulnerability to contact the company directly so it could verify the problem.
Muddy Waters fired back Monday with a new report critiquing St. Jude's response and a video the firm says demonstrates the alleged attacks. But Tuesday, a team of researchers at the University of Michigan who attempted to replicate MedSec's research called it inconclusive. In a statement, Muddy Waters said the Michigan research did "not attempt to re-create the attack and does not address the issues" outlined in its latest video.
The Food and Drug Administration told The Washington Post it is working with the Department of Homeland Security to investigate the claims in the Muddy Waters report, but it advised patients with St. Jude devices to continue using them as instructed by their doctors. Neither agency was informed about the report until the day it was made public, according to Bone.
Although the specifics of the alleged problems are still in limbo and the details about how much Muddy Waters and MedSec have gained and stand to gain are unclear, many in the security community have raised concerns about how MedSec disclosed its research.
Kevin Fu, a Michigan professor who led the team that tried to verify MedSec's findings, called MedSec's approach "certainly unorthodox" and could not recall any other time he'd seen "a security researcher funded by a short seller to disclose something in this manner.”
Yet the idea isn’t totally novel: Chatter about using bugs to make money by manipulating stocks has been floating around security conferences for years, Veracode chief technology officer Chris Wysopal told The Post. Notorious Internet provocateur Andrew Auernheimer even claimed that he planned to set up a hedge fund to short companies with security flaws after hacking charges against him were overturned in 2014.
But experts think MedSec is the first company to try out the strategy publicly.
Joshua Corman, director of the Atlantic Council’s Cyber Statecraft Initiative and founder of a group focused on cybersecurity and physical safety called I Am the Cavalry, said he is "greatly" concerned by the precedent it set.
He worries that MedSec and Muddy Waters’ tactics will undermine efforts to build trust in the medical device security market. “This has now potentially created an adversarial relationship again where white hat hackers can be viewed as opportunistic or greedy,” he said, using a term for cybersecurity specialists who assess the vulnerabilities of systems before others can exploit them.
But Corman's even more concerned that users will be left at risk if researchers decide to try their luck on Wall Street instead of quietly helping companies patch up their systems — especially with technology where people’s lives are on the line. If companies don't know about security flaws until they've already been made public, bad actors could take advantage of problems while developers scramble to come up with a fix, Corman said.
“Where is the discussion about patient safety and the devices that are currently in people’s chests?” he said.
Bone argued MedSec did patients a service by telling them what St. Jude would not — and added that the information disclosed through Muddy Waters didn’t include enough detail to put patients at immediate risk.
But Fu and Corman questioned why Bone didn't reach out to the FDA about their findings in advance. The agency often works with researchers who think they have found critical digital security problems in life-saving technology. That’s the approach Fu has taken when he has found technical issues with implantable medical devices in the past, he said — in part because he “didn’t want to cause unneeded alarm to patients.”
Suzanne Schwartz, who leads the FDA's medical device cybersecurity initiative, expressed disappointment at MedSec's tactics. "Obviously, this type of disclosure we would not consider to be favorable to improving or strengthening the medical device ecosystem," she told The Post.
The agency has been working to improve how it handles the high-tech risks that come with digital medical devices for years. Just this January, the FDA released draft guidance for how manufacturers should manage cybersecurity for medical devices already on the market.
A key component of the draft guidance is "establishing and supporting formal policies for coordinated vulnerability disclosure" where researchers and manufacturers collaborate to identify and mitigate digital threats before they can harm patients, the FDA told The Post.
Bone said her company has no current plans for similar shorting deals and could imagine returning to a more traditional disclosure model when dealing with companies it is more confident will respond responsibly to vulnerability reports.
But given the reaction to MedSec’s first foray into using computer flaws for financial market gains, some expect it won’t stay an option for long.
“When something like this happens, you can easily imagine a congressperson or the SEC saying this is a new way to manipulate stock prices and cracking down,” Corman said.
The SEC declined to comment on the situation. But the MedSec and Muddy Waters deal doesn't seem to fall afoul of current rules.
"There's no regulation around this activity," according to Veracode's Wysopal. Instead, it's just the ethics that "can get very murky," he said.