Muddying the waters of infosec: Cyber upstart, investors short medical biz – then reveal bugs

Analysis A team of security researchers tipped off an investment firm about alleged software vulnerabilities in life-preserving medical equipment in order to profit from the fallout.

Researchers at MedSec Holdings, a cybersecurity startup in Miami, Florida, believed they found numerous holes in pacemakers and defibrillators manufactured by St Jude Medical. Instead of telling the maker straightaway, the crew first went to investment house Muddy Waters Capital to make money off the situation.

MedSec offered Muddy Waters the chance to short sell the stock of St Jude Medical so that when details of the flaws are made public, MedSec and Muddy Waters could all profit. The more the shares fell, the higher MedSec's profits would be.

Muddy duly published details of the alleged flaws earlier today, on Thursday, and sent this doom-laden alert to investors:

Muddy Waters Capital is short St. Jude Medical, Inc. (STJ US). There is a strong possibility that close to half of STJ’s revenue is about to disappear for approximately two years. STJ’s pacemakers, ICDs, and CRTs might – and in our view, should – be recalled and remediated. (These devices collectively were 46% of STJ’s 2015 revenue.) Based on conversations with industry experts, we estimate remediation would take at least two years. Even lacking a recall, the product safety issues we present in this report offer unnecessary health risks and should receive serious notice among hospitals, physicians and cardiac patients.

We have seen demonstrations of two types of cyber attacks against STJ implantable cardiac devices (“Cardiac Devices”): a “crash” attack that causes Cardiac Devices to malfunction – including by apparently pacing at a potentially dangerous rate; and, a battery drain attack that could be particularly harmful to device dependent users. Despite having no background in cybersecurity, Muddy Waters has been able to replicate in-house key exploits that help to enable these attacks.

St Jude's share price fell 4.4 per cent to $77.50.

MedSec claims it used Muddy Waters in order to draw attention to insecurities in St Jude's products and to fund its research efforts admittedly in a rather unorthodox manner.

"We acknowledge that our departure from traditional cyber security practices will draw criticism, but we believe this is the only way to spur St Jude Medical into action," said MedSec's CEO Justine Bone on her company blog.

"Most importantly, we believe that both potential and existing patients have a right to know about their risks. Consumers need to start demanding transparency from these device manufacturers, especially as it applies to the quality and functionality of their products."

Alternatively they could have simply gone to the device maker, showed them the holes, and got them fixed. If they wanted to force the manufacturer into action, MedSec could have presented a paper at any one of the many security conferences – as car hackers Charlie Miller and Chris Valasek did in the Chrysler hacking case.

Instead MedSec decided to hook up with Muddy Waters and short the stock to earn a tidy profit. Carson Block, founder of Muddy Waters, took to Bloomberg TV to put the frighteners on folks about the severity of the alleged flaws, which could help depress the share price further and thus boost his profits.

"The nightmare scenario is somebody is able to launch a mass attack and cause these devices that are implanted to malfunction," he gushed.

But based on his own company's report today into the St Jude devices, that seems unlikely. The two attack vectors mentioned include a battery draining attack and one that could "crash" a pacemaker. However, both require the attacker to compromise the device's home monitoring unit or be nearby with a software-defined radio for about an hour. According to MedSec, you can send a particular sequence of signals to a pacemaker wirelessly, and it will eventually stop working one way or another, allegedly.

The report blames St Jude Medical for using off-the-shelf parts in its devices that any hacker could buy and analyze, and for not making a custom operating system with extra security. It estimates the faults will take years to rectify.

Dr Hemal Nayak, a cardiac electrophysiologist at the University of Chicago, recommends in the Muddy report that users turn off their home controllers and says he will not implant any of St Jude Medical's devices. Nayak just happens to be a board member of MedSec.

The report claims that it would be theoretically possible to carry out a widespread attack using St Jude Medical's network, but says MedSec didn't try it because that would be morally wrong.

Medical device hacking has been demonstrated for years now, so much so that's it's almost considered old hat. Nevertheless, it seems a cunning firm has found a way to make big bucks out of the issue. ®