We are in the security business and making money off of vulnerabilities is what we do. We search for vulnerabilities, we patch vulnerabilities, we implement workarounds for those that have no patches and we work to protect our clients against known and even suspected vulnerabilities. Vulnerabilities are what make us money. Without vulnerabilities in software and hardware we would have a lot less work. However, our goal is to protect our clients, not to exploit them for all that we can get, so when we find a vulnerability, the question of whether we report it to the manufacturer, or look to make as much money as we can off of it, is moot. Not so for all security firms.
Gizmodo reporter Christina Warren called it ‘bats*** insane’ in her post when security firm MedSec decided to partner with an investment firm and sell a manufacturer’s stock short before disclosing security vulnerabilities in the manufacturer’s products. MedSec tested a variety of medical products by manufacturer St. Jude. MedSec found security failures including a lack of encryption and the ability for other devices to communicate with pacemakers and defibrillators, which, MedSec claims, could allow anyone to tap into implanted devices and cause potentially fatal disruptions. Very bad. ‘Denial of Service’ takes on a new meaning when the service is your pacemaker. Instead of reporting the findings to St. Jude, the normal approach to vulnerability disclosure in medical technology, MedSec partnered with Muddy Waters Capital and bought St. Jude stock before releasing the results of their findings to the public. MedSec’s Chief Executive Officer Justine Bone said St. Jude’s past record of ignoring warnings and the chance that it could sue MedSec to keep it quiet ‘precluded that approach’. MedSec and Muddy Waters cited a 2014 Homeland Security investigation into St. Jude and other device makers’ cybersecurity, reported by Reuters, as a warning that could have been heeded, but that St. Jude did not.
The CEO of MedSec defended her company actions in an interview with Bloomberg, but didn’t convince me one bit of their genuine efforts to protect patient safety. Watch the interview yourself and you will see a lack of due diligence, how Bone (the CEO) skirts the issue of their lack of process, says “the public has a right to know…” but did not report their findings to the public entity CERT, and then finally states the real reason for their tactic; “…we are looking to recover our costs…”.
There is a word for MedSec’s actions.
Shameful is the word I am thinking. Unethical does not go far enough. Scurrilous might fit, bordering on despicable. MedSec didn’t try very hard to contact, or convince the manufacturer of the seriousness of the findings and then tried (and maybe succeeded) to turn a profit on the venture. St. Jude responded to specific findings, defending their products and noting that many of the test situations outlined by MedSec don’t exist for devices in production. The MedSec findings report claimed that the pacemaker battery could be depleted remotely at a 50-foot range, but St. Jude responded that once the device is implanted into a patient, wireless communication has an approximate 7-foot range. To quote St. Jude, “In addition, in the described scenario it would require hundreds of hours of continuous and sustained “pings” within this distance. To put it plainly, a patient would need to remain immobile for days on end and the hacker would need to be within seven feet of the patient.”
In addition to their published response to the MedSec/Muddy Waters high-tech tactics St. Jude also responded in a low tech way, they filed suit. We’ll see how this plays out in court.