A security hole is a terrible thing to waste. If an exploit has the potential to affect a lot of people — for example, a hack to break into an iPhone — it could be quite a valuable asset.
Most of the time, security experts employ the principle of responsible disclosure. That means that somebody who discovers a security hole will allow the manufacturer to patch the flaw before telling everyone else about it. In exchange, the researcher gets a finder’s fee, or “bug bounty.”
But sometimes the security researcher could get a bigger reward by selling the information to competitors or hackers. To maximize income without being accused of extortion, researchers often shop their findings to broker-dealers specializing in security exploits. Some of the biggest buyers of previously unknown vulnerabilities include antivirus vendors, the National Security Agency and foreign governments. Security researchers may have an altruistic side, but they’re also motivated by cash.
When it comes to popular products, it’s a seller’s market. The FBI paid $1.3 million just to get into an iPhone! But what happens if a researcher discovers a vulnerability in a niche medical device? A pacemaker, for example?
MedSec is a cybersecurity firm that faced just this problem. After a year spent dismantling various devices, the group thought it discovered potential security flaws in cardiac devices made by St. Jude Medical. But an exploit with a small user base isn’t valuable to hackers. It’s not worth anything to the NSA. The Russian government doesn’t want it. The medical-device manufacturer might be the only one willing to buy the information, which means the seller has no leverage.
To boost price discovery in the absence of bidders, MedSec took its findings to an investment-research firm, Muddy Waters. Muddy Waters published a 33-page report on Aug. 25 that sort-of explains how to value MedSec’s discovery.
Maybe the value of a security vulnerability can be measured by how much it hurts a company’s stock price. The report begins by stating that Muddy Waters had taken a short position in St. Jude Medical, a bet that the stock price would fall. It then warns that catastrophic cyber attacks might be caused by either “crashing” St. Jude’s cardiac devices or remotely draining the batteries. Most of the document discusses how much St. Jude will have to spend on product recall and litigation, with devastating predictions for the stock price. The report is vague on the technical details of the security vulnerability, but that’s because it’s designed to be a sales pitch.
MedSec’s fees are tied to the performance of Muddy Waters’s short position.
So far it looks profitable. As of Friday evening, St. Jude stock was down 5.6 percent from its high on the day before Muddy Waters announced its report.
St. Jude Medical has denied the security allegations and filed a defamation lawsuit against Muddy Waters and MedSec. The filing explains that the supposed “crash” described by Muddy Waters is in fact a safeguard designed to protect against unexpected conditions. Furthermore, a successful battery-depletion attack would require hundreds of hours of sustained radio-frequency signals transmitted within close proximity of the victim.
How do you quantify the risk of a 100-hour proximity attack? Are there really evil hackers hiding outside of hospitals with high-powered radio transmitters, just waiting to launch a massive cyber-assault? How do you know that there aren’t?
St. Jude states that this risk is misrepresented, but it’s not up to St. Jude. Different customers can tolerate different levels of risk. A few years ago, former Vice President Dick Cheney revealed that his doctor ordered his heart implant disabled due to fears that it might be hacked in an assassination attempt. Most people don’t have to worry about assassins, but maybe Dick Cheney does. A medical device company cannot possibly know how many of its customers could be targets.
The current situation puts St. Jude in an awkward spot. If the company now releases a security update, it looks like an admission of fault. If it instead makes a point of dismissing the potential risks, it could be in hot water if a pacemaker patient gets hurt by something related to the charges in the Muddy Waters report. Patching known vulnerabilities is the prudent thing to do, especially now that Muddy Waters has so loudly advertised the possibility of attacks.
The nature of cybersecurity is that the risk is unquantifiable. We don’t have actuarial tables for this stuff, and new attack vectors are discovered all the time. In most cases, the manufacturer quietly releases a security patch and it has no bearing on the company’s stock price. St. Jude says in its lawsuit that since 2013, it has released seven different security updates for one of the devices in question.
Market-bombshell scare tactics are unnecessary. Come on, these patients already have heart problems. There were seven security vulnerabilities in one medical device when it went to market. The only reason this episode had any effect on St. Jude’s stock price is because nobody had questioned the security and safety of all the others. In the end, the biggest risks are to St. Jude’s shareholders, not their patients.