Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Big Short: Security Flaws Fuel Bet Against St. Jude (securityledger.com)

Posted by BeauHD on from the hacking-fears dept.

chicksdaddy writes: "Call it The Big Short -- or maybe just the medical device industry's 'Shot Heard Round The World': a report from Muddy Waters Research recommends that its readers bet against (or 'short') St. Jude Medical after learning of serious security vulnerabilities in a range of the company's implantable cardiac devices," The Security Ledger reports. "The Muddy Waters report on St. Jude's set off a steep sell off in St. Jude Medical's stock, which finished the day down 5%, helping to push down medical stocks overall. The report cites the 'strong possibility that close to half of STJ's revenue is about to disappear for approximately two years' as a result of 'product safety' issues stemming from remotely exploitable vulnerabilities in STJ's pacemakers, implantable cardioverter defibrillator (ICD), and cardiac resynchronization therapy (CRT) devices. The vulnerabilities are linked to St. Jude's Merlin at home remote patient management platform, said Muddy Waters. The firm cited research by MedSec Holdings Ltd., a cybersecurity research firm that identified the vulnerabilities in St. Jude's ecosystem. Muddy Waters said that the affected products should be recalled until the vulnerabilities are fixed. In an e-mail statement to Security Ledger, St. Jude's Chief Technology Officer, Phil Ebeling, called the allegations 'absolutely untrue.' 'There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin at home and on all our devices,' Ebeling said."

More controversial: MedSec CEO Justine Bone acknowledged in an interview with Bloomberg that her company did not first reach out to St. Jude to provide them with information on the security holes before working with Muddy Waters. Information security experts who have worked with the medical device industry to improve security expressed confusion and dismay. "If safety was the goal then I think (MedSec's) execution was poor," said Joshua Corman of The Atlantic Institute and I Am The Cavalry. "And if profit was the goal it may come at the cost of safety. It seems like a high stakes game that people may live to regret."

13 of 81 comments (clear)

  1. 5%? by 110010001000 · · Score: 4, Insightful

    Lots of stocks go down 5% in one day, especially medical stocks. Hardly steep.

    1. Re:5%? by Dorianny · · Score: 3, Insightful

      A voluntary or a FDA ordered full recall one are unlikely or you would have seen the stock price come crashing down and trading halted . Device security is just not taken seriously in the industry. Practically the only invulnerable devices are the ones with network-stack implementations so broken as to render networking functions pretty usless. The Industry benefits from there not being any cases of harm to patients. Few people outside of research would target medical devices given the risk of causing physical harm to innocent people. Of course this could change in an instant were someone to off their rich-uncle for the inheritance by hacking into his pacemaker. The scandal would cause a tsunami that would come crashing down on the Biotech industry

    2. Re:5%? by whoever57 · · Score: 5, Insightful

      Lots of stocks go down 5% in one day, especially medical stocks. Hardly steep.

      Yes, it's a shame it didn't go down more. Until lack of security affects the bottom line, companies won't make secure devices.

      --
      The real "Libtards" are the Libertarians!
    3. Re:5%? by jbmartin6 · · Score: 2

      In other words, they would argue they don't need to take security seriously because there isn't a serious threat. The rich uncle is a good example of a somewhat realistic situation, but I don't agree that it would set off any flood of concern. Probably very few would care, except maybe the uncle's other relatives. But settling that lawsuit later is a lot cheaper than implementing a lot of security now. Remember, there are lots of ways to kill someone with few or no traces, as long as there is no other evidence. In the uncle's case, the murderous heir would be the prime suspect if there were any whiff of foul play and would leave other evidence like browser search history. Not that the crime couldn't happen, it would just be pretty rare. Is that enough to change the economic calculus for the medical device company?

      Or look at it this way. If the murder is undetected, the device company isn't in trouble and has no reason to add security. If the murder is detected, the criminal is convicted and others are deterred from using the same methods. The crime gets added to the list of all the other solved murders which used candlesticks in the library and such. Either way, the medical device company has no motivation to change anything.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  2. Saint Jude, don't let me down! by Anonymous Coward · · Score: 2, Funny

    take a sad song
    and make it better
    but remember
    to let it into your heart
    so the hackers
    can kill you!!

  3. What? by Anonymous Coward · · Score: 2, Insightful

    Reading that made my head hurt.

  4. Re:Sketchy by lgw · · Score: 3, Informative

    How is this not some kind of insider trading and/or pump and dump scheme? Only company principals would have access to this type of info and it's not legal to divulge such prior to public filings... SEC should look very closely at who has established short positions in this security.

    As long as it's an independent researcher, it's fine. No reason you need to be an insider to spot security flaws. That's how the stock market works: you have all the companies engaged in just-borderline-legal puffery, exaggeration, and hockey sticks, and you have the short-side researchers trying to spot the biggest liars. It works well overall because the analysis becomes public quickly enough, giving ordinary investors a chance to learn both sides of the story.

    Not so much from a white-hat security perspective, of course. But as long as they aren't working for the company, nor of course out there exploiting the flaws to kill people, they're OK. It's not insider trading if you're an outsider.

    --
    Socialism: a lie told by totalitarians and believed by fools.
  5. Not related to the hospital by Anonymous Coward · · Score: 2, Informative

    For those who are confused (as I initially was), this is talking about St. Jude Medical, which is in no way, shape or form associated with St. Jude Children's Research Hospital (it's not even a spin off company).

  6. Insightful, +1 by PopeRatzo · · Score: 2

    Reading that made my head hurt.

    Really. The financial press makes the tech press look like Joseph fucking Pulitzer.

    --
    You are welcome on my lawn.
  7. We're all giant security flaws from birth by JoeMerchant · · Score: 2, Interesting

    You're born: without constant care you will die, you have to be provided with food, shelter and all manner of special care - your head flops around if you aren't held properly.

    When we're more mature, we're still not bullet proof, knife proof, or able to withstand a sudden stop in the vehicles we travel in, there's a long list of chemical poisons that can kill, fast or slow, many undetectable - sudden death is a possibility during virtually every hour of every day. All it takes is a bad actor to point a gun, or crossbow, or speeding car in our direction and BOOM, we're dead, or worse, in an instant.

    We sleep in houses with glass windows, we congregate in large public gatherings, we invite mass murder and mayhem all the time. A single bad actor can kill hundreds with no special resources or skills.

    So, what's so scary about a pacemaker that can "be hacked" by someone with enough time and determination? Is it that they might get away with it untraceably? Hardly likely. With all the time and effort that would go into this sort of hack, you could literally commit "the perfect murder" a dozen different ways - many of them less likely to lead back to the perpetrator. If people start dying of hacked pacemakers, the FBI will start by looking at ex-employees of the company, related companies, and "white hat" outfits like in the article. It's a relatively small group, compared to people who might have access to sodium cyanide, or a handgun and a car.

    Having said all that, it is past time for medical device companies to start at least "closing the window" on nefarious hackability of their devices, which is why the FDA released cybersecurity guidance a couple of years back.

    1. Re:We're all giant security flaws from birth by JoeMerchant · · Score: 2

      The "programmer wands" in old-school pacemakers only work up to about 6" away... they're special antennas, though you might be able to get some anti-theft door systems to operate the devices - but that would be a truly traceable hack.

      Newer systems are getting "more connected" with in-body networking to other devices and slightly longer range RF, but none of them are "constant contact" with the cloud, and the systems I'm aware of do not have any "kill the patient at midnight on December 23rd" program capabilities... if you're going to switch it off, it's going to happen more or less immediately after the communication event.

  8. Re:Sketchy by theskipper · · Score: 3, Informative

    That's true and most likely what Muddy Waters did. Further, biotech traders especially are notorious for watching option flow because blowups are more common than positive outcome trials. And leaks are almost expected these days no matter how the trades are structured to hide inside info.

    But in this particular case it's almost definitely what you described, basically front-running their research just like Citron, Streetsweeper and others do. As a matter of fact, here's a screen shot showing a decent size put position being put on $STJ a few days ago (probably not just Muddy Waters but other cohorts too): https://twitter.com/WallStJesu...

    It's actually one of the few ways the little guy can bank based on "inside info" just by keeping an eye out for activity like this. I personally follow about 5 users who exclusively tweet blocks and unusual option activity, it pays off about 60% of the time (not just puts, calls too). Some opening positions really are most definitely based on the illegal-type inside info, the rest are front-running research like described above.

  9. Re:Sketchy by ShanghaiBill · · Score: 2

    How is this not some kind of insider trading

    Because none of the information is from inside. There is no law against doing your own research and publicising the result.

    and/or pump and dump scheme?

    The is the exact opposite of a "pump and dump". Muddy Waters is shorting the stock and then pushing the price down by PUBLISHING THE TRUTH. If it turns out the information was knowingly false, or published with reckless disregard for the truth, then they could be in big trouble. But that is unlikely because Muddy Waters and a long track record of being right on these things.

    Only company principals would have access to this type of info and it's not legal to divulge such prior to public filings.

    Absolute nonsense. RTFA. The company did NOT have access to this information. It came from independent research.