Medsec vs. St. Jude – Security Research Version 2

About four months, a security firm named Medsec discovered some flaws in St Jude Medical’s cardiac implantable products.  The accepted way to deal with this is to privately let the manufacturer know what you found, let them fix it and then release your research.

In this case, Medsec had been told that St. Jude would not be receptive to the conversation and, they were told, some people had been shown the door when they tried to disclose bugs to St. Jude.

So, Medsec tried a novel method.  It worked, sort of, but has them in the middle of a lawsuit, so I don’t recommend trying it.

Medsec licensed the flaws to a company named Muddy Waters.  Muddy Waters makes money short selling companies.  The way they do that is to disclose mud about the company after short selling the stock, hoping the price will go down. Medsec’s deal was that they would somehow split any profits.

St. Jude Medical, which about to be acquired by Abbott for $25 billion wasn’t too happy about it.  They figured, like in the Verizon/Yahoo merger, news like this could scuttle the deal or at least cause Abbott to want to change the terms of the deal and make the stock price go down.  Looking at a stock price chart, it appears the price did go down by about $5 a share after the announcement, probably long enough for Muddy Waters to make their money, but the price appears to be $20 a share higher than it was a year ago.

However, there are some other developments.

St. Jude formed a cyber security advisory group in October, even though they say the claims are baseless.

Muddy Waters/Medsec has created a website and released videos of the hack to defend themselves as part of the lawsuit.

St. Jude Medical released a patch to solve part of the problem.

And finally, the FDA released a public alert saying that they have confirmed the vulnerabilities in the St. Jude Medical implantable cardiac devices – which I assume would have a positive effect for Medsec and Muddy Waters in the lawsuit that St. Jude Medical filed against them.

St. Jude Medical claimed that Medsec and Muddy Waters were intentionally trying to manipulate the stock price.  Of course, the question still to be answered is not whether it was willful, but whether was was illegal.

While we will never know, it appears that their tactic did achieve a goal of get the flaw patched and getting the FDA to issue an alert.  Whether the alert will impact the stock or whether Muddy Waters is going to try and short the stock again is unknown.

What is clear is that this researcher was willing to go to some pretty extreme measures to get St. Jude Medical’s attention.  The patch only fixed part of the problem and Medsec said that they expect more patches from St. Jude Medical.  Now that the FDA has published a public alert, there will likely be even more pressure on St. Jude Medical to fix the remaining problems.

For other businesses, there is a lesson here.  When a customer or security researcher comes to talk to you about a security problem, don’t blow them off.  YOU could be the next short sell play or, if you are not public, they could just set up a web site for spite.

What would that do to your reputation?

Information for this post came from Dark Reading.


Leave a Reply

Your email address will not be published.