MedSec and Muddy Waters Partnership may put Profit over Responsible Disclosure

Typically when information security firm's discover vulnerabilities in hardware or software, they disclose them to the manufacturer so that they can be fixed. Healthcare security firm, MedSec, is breaking from this norm and instead shared this information with the Muddy Waters Research financial firm who has shorted the stock based on this information.

According to a report by Muddy Waters Research, MedSec has discovered vulnerabilities in St. Jude's implantable cardiac devices that could cause these devices to malfunction. These malfunctions could lead to increased heart rates or cause the battery to drain at a much greater rate, which could cause physical harm to the target.

Justine Bone. the CEO of MedSec, says in a blog post on their site that they decided to break from the normal disclosure practices and instead partner with Muddy Waters in order to push the medical device maker to fix the problems by hurting them in the wallet.

In order to help address patient safety, we have chosen to depart from standard cyber security operating procedures in order to bring this to the public’s attention and to ensure that St Jude Medical responds appropriately and with urgency. We have shared our research with an investment firm, Muddy Waters Capital, that is helping us deliver this message. 

Though this unusual partnership may cause St. Jude Medical to put more effort into resolving the vulnerabilities, it is also going to be seen as MedSec using this information to make money on the stock market.  This is because MedSec could earn significant revenues from Muddy Waters shorting St. Jude Medical based on this information.

As part of this partnership, MedSec will be sharing in the profits generated Muddy Waters taking a short position on St. Jude Medical's stock. According to the Muddy Waters Research report:

While standard practice in the cybersecurity industry is to notify companies of vulnerabilities before discussing them publicly, MedSec licensed its research to Muddy Waters so that we could bring these issues to light (without revealing detailed vulnerability information). Muddy Waters has engaged MedSec as consultants in addition to licensing its research on STJ. MedSec is receiving compensation related to investment profits from the funds Muddy Waters manages.

Though this partnership is unusual, it should not detract from the vulnerabilities discovered by MedSec in St. Jude Medical devices. According to MedSec these vulnerabilities are related to the Merlin@home device, which is located in a patient's home. This device is used to communicate with the cardiac device and then transmit data back to St. Judge Medical's network.

According to MedSec, these devices are commonly sold for as little as $35 on Ebay and have significant security flaws that can be used to gain control over the implanted cardiac devices.  

Due to weak encryption on the @home devices, MedSec stated they could perform the following attacks:

With relatively little effort, MedSec exploited tools on the @home devices to code the attacks. Then, using compromised @home devices or software defined radios (“SDR”), MedSec demonstrated two types of potentially catastrophic attacks:18 • “crash” attacks that remotely disable cardiac devices, and in some cases, appear to cause the Cardiac Device to pace at a dangerous rate, and • a battery drain attack that remotely runs Cardiac Device batteries down.

We have seen an increased trend of more and more connected devices being released with little or no attention paid to security. This report shows us that this theme extends into the medical devices industry, where a vulnerability could lead to an actual health problem for a target.