A unique and surprising course of action has been taken by a cybersecurity company on finding serious vulnerabilities in medical device tech.
Ethical hacking as a practise proves to be beneficial for those involved quite frequently. It allows the vulnerable companies to address the sensitive issues and the hackers to receive credit for discovering the issue. However, one cybersecurity and research company has taken quite a different approach to this practise, one which could earn them a lot of money.
When MedSec, a cybersecurity and research company, discovered a number of serious vulnerabilities in the pacemakers and defibrillators of St. Jude’s Medical, they opted not to notify the company about it. Instead, they went to Carson Block who works at the investment firm Muddy Waters. Muddy Waters then decided to bet against St. Jude in the stock market instead of notifying them about it, a move that could possibly endanger quite a number of lives.
The agreement between MedSec and Muddy Waters, as explained by Bloomberg, is a tricky one. The compensation received by MedSec depends on how low the stock value of St. Jude falls as a result of Block betting against them. This way, both of them could profit at the expense of St. Jude. However, if the bet proves to be unsuccessful, MedSec lose the money they invested in this whole process.
There is a different side to MedSec’s decision as well. They said that they took this course of action because they were not convinced that St. Jude would address the serious vulnerabilities in their pacemakers and defibrillators. They expected them to simply ignore the report and continue endangering the lives of all their patients. Therefore, to make sure that they don’t have their way, MedSec decided that simply making the vulnerabilities public and defaming St. Jude would not do. So they decided to make them pay for it as well.
However, security evangelist Jessy Irwin gave another side to the argument. According to Irwin, MedSec could have gone to CERT with the matter, which would have resulted in FDA warnings and homeland security advisories, meaning that St. Jude would not be able to simply ignore the issue. CERT also asserts a public disclosure time limit on such vulnerabilities, giving the organizations 45 days before making it public. St. Jude would then have 45 days in which to deal with this issue and then go public, regardless of whether they solved it or not.
The agreement between MedSec and Muddy Waters could be cited as an example in the future for different teachings. Depending on the outcome, it could be treated as a case of how to make sure that such vulnerabilities are taken seriously by organizations, or it could be treated as a case of how security researchers blackmail exploits rather than helping the company solve it.