Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Medicine Security Software News Hardware Technology

The Big Short: Security Flaws Fuel Bet Against St. Jude (securityledger.com) 81

chicksdaddy writes: "Call it The Big Short -- or maybe just the medical device industry's 'Shot Heard Round The World': a report from Muddy Waters Research recommends that its readers bet against (or 'short') St. Jude Medical after learning of serious security vulnerabilities in a range of the company's implantable cardiac devices," The Security Ledger reports. "The Muddy Waters report on St. Jude's set off a steep sell off in St. Jude Medical's stock, which finished the day down 5%, helping to push down medical stocks overall. The report cites the 'strong possibility that close to half of STJ's revenue is about to disappear for approximately two years' as a result of 'product safety' issues stemming from remotely exploitable vulnerabilities in STJ's pacemakers, implantable cardioverter defibrillator (ICD), and cardiac resynchronization therapy (CRT) devices. The vulnerabilities are linked to St. Jude's Merlin at home remote patient management platform, said Muddy Waters. The firm cited research by MedSec Holdings Ltd., a cybersecurity research firm that identified the vulnerabilities in St. Jude's ecosystem. Muddy Waters said that the affected products should be recalled until the vulnerabilities are fixed. In an e-mail statement to Security Ledger, St. Jude's Chief Technology Officer, Phil Ebeling, called the allegations 'absolutely untrue.' 'There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin at home and on all our devices,' Ebeling said."

More controversial: MedSec CEO Justine Bone acknowledged in an interview with Bloomberg that her company did not first reach out to St. Jude to provide them with information on the security holes before working with Muddy Waters. Information security experts who have worked with the medical device industry to improve security expressed confusion and dismay. "If safety was the goal then I think (MedSec's) execution was poor," said Joshua Corman of The Atlantic Institute and I Am The Cavalry. "And if profit was the goal it may come at the cost of safety. It seems like a high stakes game that people may live to regret."

This discussion has been archived. No new comments can be posted.

The Big Short: Security Flaws Fuel Bet Against St. Jude

Comments Filter:
  • 5%? (Score:5, Insightful)

    by 110010001000 ( 697113 ) on Thursday August 25, 2016 @09:37PM (#52772913) Homepage Journal
    Lots of stocks go down 5% in one day, especially medical stocks. Hardly steep.
    • Re:5%? (Score:4, Insightful)

      by Dorianny ( 1847922 ) on Thursday August 25, 2016 @10:30PM (#52773049) Journal
      A voluntary or a FDA ordered full recall one are unlikely or you would have seen the stock price come crashing down and trading halted . Device security is just not taken seriously in the industry. Practically the only invulnerable devices are the ones with network-stack implementations so broken as to render networking functions pretty usless. The Industry benefits from there not being any cases of harm to patients. Few people outside of research would target medical devices given the risk of causing physical harm to innocent people. Of course this could change in an instant were someone to off their rich-uncle for the inheritance by hacking into his pacemaker. The scandal would cause a tsunami that would come crashing down on the Biotech industry
      • by HiThere ( 15173 )

        How would you prove it? Would it require assistance from the company to show that that was what happened?

        • How would you prove it? Would it require assistance from the company to show that that was what happened?

          If the Coroner found the device not functioning during the autopsy and implicate it as the cause of death he could rule the death suspicious (if he were smart) and start the boll rolling for the device to end up at FBI crimes lab directly. Otherwise he would (hopefully) file a report with the FDA or the Manufacturer (which is required to report it to the FDA). Eventually a FDA inspector would get around to reading the report and hopefully be alarmed enough to ask the company to check on the cause of the mal

          • by HiThere ( 15173 )

            Autopsies are rare unless there is already strong suspicion of a crime, and most coroners aren't competent to diagnose the workings of a pace maker or defibrillator. Additionally, if the defibrillator kept trying to restart the heart until it's battery died, it would fail to respond without replacing the battery. Not a minor endeavor.

            People who are competent to diagnose defibrillators are rare, especially if they are expected to work on devices made by an arbitrary manufacturer rather than just a couple o

            • If the battery died then that would be a very strong indication of some problem. Probably they would suspect a defect in the manufacturing, but that would start the closer look that might just uncover foul play. Or not. If their logging/forensics is as bad as their security...
      • by AmiMoJo ( 196126 )

        How would a recall work exactly? Presumably they can't just upload a firmware upgrade wirelessly, as aside from anything if the process failed or even took a few seconds to restart the patient would be in serious trouble. So it would have to be surgery, I guess.

        This sort of thing is only going to get more common as we start putting more stuff inside our bodies. A year or two back it was found that a major manufacturer of breast implants was using sub-standard silicone and that the risk of leakage was high,

        • by gtall ( 79522 )

          Some med devices have OTA updates of their firmware. Companies see it as a much less obtrusive way of updating than tearing it out and replacing it.

          • by AmiMoJo ( 196126 )

            Interesting. When you say OTA, I presume you mean through the skin from a transceiver placed on the body, rather than from any significant distance or over a network, right?

            • With IPV6 and IoT, every device can have its own IP address. You can keep even monitor your loved ones...

              ping grandpa .... No Response ... No Response ... No Response

              GRANDPA!!!!!

      • In other words, they would argue they don't need to take security seriously because there isn't a serious threat. The rich uncle is a good example of a somewhat realistic situation, but I don't agree that it would set off any flood of concern. Probably very few would care, except maybe the uncle's other relatives. But settling that lawsuit later is a lot cheaper than implementing a lot of security now. Remember, there are lots of ways to kill someone with few or no traces, as long as there is no other evide
    • Re:5%? (Score:5, Insightful)

      by whoever57 ( 658626 ) on Thursday August 25, 2016 @11:31PM (#52773169) Journal

      Lots of stocks go down 5% in one day, especially medical stocks. Hardly steep.

      Yes, it's a shame it didn't go down more. Until lack of security affects the bottom line, companies won't make secure devices.

      • Lots of stocks go down 5% in one day, especially medical stocks. Hardly steep.

        Yes, it's a shame it didn't go down more. Until lack of security affects the bottom line, companies won't make secure devices.

        Stock prices don't affect the bottom line (other than on a IPO of course) however a bunch of pissed off investors looking at their portfolio charts shooting straight-down would likely demand the heads of the CEO and the CTO. If the Board of Trustees doesn't deliver you might see a direct share-holder vote being called. That's when you would see some real change in the Industry. Nothing greases the wheels quite like the blood of executives

        • Stock prices don't affect the bottom line (other than on a IPO of course)

          Please, don't do any investments in stocks: you clearly don't understand this well enough.

          The question you have to ask is: why did the stock price go down? The answer to which is that investors in the stock market expect that future profits (the bottom line) will be lower. In other words, no, stock prices don't affect the bottom line (but see note), instead, the expected future of the bottom line affects the stock price.

          Note: a h

          • Stock prices don't affect the bottom line (other than on a IPO of course)

            Please, don't do any investments in stocks: you clearly don't understand this well enough.

            The question you have to ask is: why did the stock price go down? The answer to which is that investors in the stock market expect that future profits (the bottom line) will be lower. In other words, no, stock prices don't affect the bottom line (but see note), instead, the expected future of the bottom line affects the stock price.

            Pray do tell how Investors "expecting" lower earnings actually affect earnings.

            Note: a high stock price can improve a company's ability to raise capital for investment, so in this way a high stock price can affect the bottom line.

            Agreed that in the an embattled company would have more difficulties (at least have to pay higher rates) getting loans or selling bonds. However this is a function of the Company facing uncertainties about its future rather the "stock price" per se. A private company in a similar situation would face the same difficulties raising captial

      • They never will. Companies will forever operate under the auspices of "good enough to have insurance cover it". Class actions need to quit settling for amounts that are equal to 1% of 1% of a company's bottom line. Go for the throat and demand 100% of a company's gross revenues for 10 years and then haul that case to court. Work to have their business licenses yanked and start piercing the corporate veil. Remind people that, as a company, you have a duty to your customers and not just your shareholders - or
    • Their stock went up by more than 20% on April 29th, too, when they announced that they were being bought by Abbott Labs.

      After speculation causes a jump like that, prices always tend to drop back off as reality sets in and the late-comers to the party have realized that the stock isn't going up any more and they're ready to sell quickly in order to cut their losses at the slightest hint that the price may go down further.

  • by Anonymous Coward

    take a sad song
    and make it better
    but remember
    to let it into your heart
    so the hackers
    can kill you!!

  • What? (Score:2, Insightful)

    by Anonymous Coward

    Reading that made my head hurt.

    • News for People Richer than You: Stuff that Barely Matters

      • by Archfeld ( 6757 )

        Unless you happen to have or have a family member that has one of the devices in question.

        • In that case, what some analyst thinks of the share price (however data-driven it may be) is the least of your worries.

          • I agree but had the story not been published what do you think the chances they would have heard about the issue period ? I am certain the manufacturer would not have willingly acknowledged the possible issue without external pressure.

            • I'm not disputing that it's a story. We've both been on Slashdot for a long time, and our memories are probably hazy, but nonetheless help me out. Has "some analyst bets against the share price" ever been the primary focus of the story here?

              One AC above noted that the real issue is that the maintainer of an implantable biomechanical device may go bust, stranding everyone who has one implanted and (as a general case) the huge risk inherent in the rise of the Internet of Safety-Critical Things. That is the ne

              • To my knowledge you are correct. Stockholder and analyst views were never before an issue or the focus of tech stories. I think part of the change comes from the 'new' phenomenon of kickstarter/crowdsource financing which started fairly recently and part from the ridiculous way in which stocks now fluctuate based on some no-nothings comments to the media. I can see a future in which Bunsen Honeydews insights will affect the bottom line of venture capital/tech companies.

    • Reading that made my head hurt.

      Really. The financial press makes the tech press look like Joseph fucking Pulitzer.

  • Abbott to Acquire St Jude Medical http://media.sjm.com/newsroom/... [sjm.com]
  • by Anonymous Coward

    'strong possibility that close to half of STJ's revenue is about to disappear for approximately two years' as a result of 'product safety' issues

    How is this not some kind of insider trading and/or pump and dump scheme? Only company principals would have access to this type of info and it's not legal to divulge such prior to public filings... SEC should look very closely at who has established short positions in this security.

    • Re:Sketchy (Score:4, Informative)

      by lgw ( 121541 ) on Thursday August 25, 2016 @10:39PM (#52773067) Journal

      How is this not some kind of insider trading and/or pump and dump scheme? Only company principals would have access to this type of info and it's not legal to divulge such prior to public filings... SEC should look very closely at who has established short positions in this security.

      As long as it's an independent researcher, it's fine. No reason you need to be an insider to spot security flaws. That's how the stock market works: you have all the companies engaged in just-borderline-legal puffery, exaggeration, and hockey sticks, and you have the short-side researchers trying to spot the biggest liars. It works well overall because the analysis becomes public quickly enough, giving ordinary investors a chance to learn both sides of the story.

      Not so much from a white-hat security perspective, of course. But as long as they aren't working for the company, nor of course out there exploiting the flaws to kill people, they're OK. It's not insider trading if you're an outsider.

      • Re:Sketchy (Score:4, Informative)

        by theskipper ( 461997 ) on Thursday August 25, 2016 @11:37PM (#52773181)

        That's true and most likely what Muddy Waters did. Further, biotech traders especially are notorious for watching option flow because blowups are more common than positive outcome trials. And leaks are almost expected these days no matter how the trades are structured to hide inside info.

        But in this particular case it's almost definitely what you described, basically front-running their research just like Citron, Streetsweeper and others do. As a matter of fact, here's a screen shot showing a decent size put position being put on $STJ a few days ago (probably not just Muddy Waters but other cohorts too): https://twitter.com/WallStJesu... [twitter.com]

        It's actually one of the few ways the little guy can bank based on "inside info" just by keeping an eye out for activity like this. I personally follow about 5 users who exclusively tweet blocks and unusual option activity, it pays off about 60% of the time (not just puts, calls too). Some opening positions really are most definitely based on the illegal-type inside info, the rest are front-running research like described above.

        • (1) Investigate safety critical devices for security flaws until you find one
          (2) Short sell the manufacturer of the flawed device
          (3) ???
          (4) Profit!

          While I don't see anything illegal here, I'd want the advice of a good lawyer before putting it into practice.

        • Can you share those twitter users you follow? That seems like an interesting data point.
          • Options/Blocks: @BlockTradeAlert, @WallStJesus, @CashRocket, @OpenOutcrier, @SpeedyCalls
            T/A: @WrigleyTom, @OptionsHawk for example
            Some pro biotech/pharma guys who actually know what they're talking about: @DewDiligence, @Ogut_Ozgur, @Biomaven, @BioDueDiligence, @DavidBautz, @zbiotech, @AF_biotech/@CNS_Investing. Too many to list, check the overlap of who they follow for more.

            HTH.

        • any chance you'd PM me the twitter names of the 5 "users" you follow? If so, thanks...
    • How is this not some kind of insider trading

      Because none of the information is from inside. There is no law against doing your own research and publicising the result.

      and/or pump and dump scheme?

      The is the exact opposite of a "pump and dump". Muddy Waters is shorting the stock and then pushing the price down by PUBLISHING THE TRUTH. If it turns out the information was knowingly false, or published with reckless disregard for the truth, then they could be in big trouble. But that is unlikely because Muddy Waters and a long track record of being right on these things.

      Only company principals would have access to this type of info and it's not legal to divulge such prior to public filings.

      Absolute

  • by Anonymous Coward

    The market doesn't respond to ANYTHING other than profit or loss. This is EXACTLY what need be done to combat security-agnostic vendors of technology.

    If this starts a trend it will become a foolish business decision to willfully ignore vulnerabilities, and RIGHTLY FUCKING SO.

  • by Anonymous Coward

    For those who are confused (as I initially was), this is talking about St. Jude Medical, which is in no way, shape or form associated with St. Jude Children's Research Hospital (it's not even a spin off company).

  • by JoeMerchant ( 803320 ) on Thursday August 25, 2016 @11:22PM (#52773151)

    You're born: without constant care you will die, you have to be provided with food, shelter and all manner of special care - your head flops around if you aren't held properly.

    When we're more mature, we're still not bullet proof, knife proof, or able to withstand a sudden stop in the vehicles we travel in, there's a long list of chemical poisons that can kill, fast or slow, many undetectable - sudden death is a possibility during virtually every hour of every day. All it takes is a bad actor to point a gun, or crossbow, or speeding car in our direction and BOOM, we're dead, or worse, in an instant.

    We sleep in houses with glass windows, we congregate in large public gatherings, we invite mass murder and mayhem all the time. A single bad actor can kill hundreds with no special resources or skills.

    So, what's so scary about a pacemaker that can "be hacked" by someone with enough time and determination? Is it that they might get away with it untraceably? Hardly likely. With all the time and effort that would go into this sort of hack, you could literally commit "the perfect murder" a dozen different ways - many of them less likely to lead back to the perpetrator. If people start dying of hacked pacemakers, the FBI will start by looking at ex-employees of the company, related companies, and "white hat" outfits like in the article. It's a relatively small group, compared to people who might have access to sodium cyanide, or a handgun and a car.

    Having said all that, it is past time for medical device companies to start at least "closing the window" on nefarious hackability of their devices, which is why the FDA released cybersecurity guidance a couple of years back.

    • by dwywit ( 1109409 )

      Same applies to much of IT - without electricity(food), it stops, without cooling(special care), it slows or stops, without careful nurturing in a special environment (alpha testing in a closed system), it won't mature (grow).

      And yet, short of death or severe damage to certain parts, we're self-healing without completely halting basic operations - you can break an arm and still walk, and we have redundancy - you can lose a kidney and still pee, you can lose an eye and still see.

      It's scary because it's our *

    • by AmiMoJo ( 196126 )

      It depends what type of hack is possible. If some script kiddy in Bulgaria can accidentally send an "off" command to every pacemaker made by these guys, then it's pretty severe. I doubt that is possible though, they can't contain modems or wifi because the battery has to last a decade or more.

      My understanding is that it's just that RF comms at a range of a few centimetres (like a contactless payment card) are not authenticated. So someone could switch the thing off at very close range, maybe further away wi

      • The "programmer wands" in old-school pacemakers only work up to about 6" away... they're special antennas, though you might be able to get some anti-theft door systems to operate the devices - but that would be a truly traceable hack.

        Newer systems are getting "more connected" with in-body networking to other devices and slightly longer range RF, but none of them are "constant contact" with the cloud, and the systems I'm aware of do not have any "kill the patient at midnight on December 23rd" program capabil

        • by AmiMoJo ( 196126 )

          Thanks, interesting stuff.

          • Shortly after posting this, someone informed me of a "nightly contact with the cloud" system that has been out there for a while (uses POTS, so that puts some kind of date range on it). So, if you don't trust the cloud contact, then a whole lot of pacemakers might get shut off at once that way. Not everybody who loses their pacemaker functionality has serious trouble, or any kind of trouble right away, but some will...

    • My Dad has a STJ pacemaker with the Merlin at home communication device in question. Merlin is a monitoring device that the implantee sets up next to their bed, and it wirelessly monitors the pacemaker while they sleep. In case of a cardiac event, it notifies the central monitoring facilities and also send info about the status of the patient's heart and pacemaker (kind of like a burglar alarm system). It is a real game-changer and has saved many peoples' lives. Merlin operates over old-school POTS (not

      • When I read "it should be illegal to have knowledge" I hit a full stop, right there... however, using knowledge for "insider trading" is a special case, and I could see this being worse than simple company insiders profiting (as they do all the time, skirting the edges of the regulation - and frequently stepping over because they know enforcement is lax.)

        Ultra-libertarians might argue that the profit is reward for ultimately exposing life threatening vulnerabilities, ultra-libertarians are also mostly psych

        • I'm generally small-L, practical libertarian (not one of the psycho variety you describe above) who supports the free market and civil liberties, but I'll absolutely stand by my original statement: if you have knowledge of a serious exploit in a critical medical device like a pacemaker or artificial heart, and you choose NOT to report that information so you can instead profit from it, you should go to jail, and for a long time. Most sane, mainstream libertarian-leaning folks acknowledge that some amount o
    • by phorm ( 591458 )

      "what's so scary about a pacemaker that can "be hacked" by someone with enough time and determination"

      Well, part of it would be detection, and - depending on the hack - range. If, for example, a malicious actor could write a virus that causes all infected mobile phones to take down pacemakers in the area... that would be bad shit. Given the number of insecure IoT devices out there, it need not be a phone, but one of thousands or millions of little devices which could be converted to nefarious means.

      • Pacemakers are getting more connectivity options all the time, but I don't think anyone has gone so trendy as to give one bluetooth, yet. (There are some fundamental problems transmitting 2.4GHz from inside living tissue...)

  • There: "MedSec CEO Justine Bone acknowledged in an interview with Bloomberg that her company did not first reach out to St. Jude to provide them with information on the security holes"

    nuff said....

    Maybe even investors listening to grapevine going short before the hubbub trying to make a buck.

  • ".... It seems like a high stakes game that people may live to regret."

    More like '... die to regret.'

  • Instead of wasting time and money doing dragnet email and phone surveillance and conducting bullshit entrapment stings to create fake "terrorists," the TLAs should absolutely exterminate these kinds of human garbage. Seriously, they need to identify and prosecute these fucks with the most extreme prejudice possible. Human greed has no boundaries.
  • I have an ICD from a different company and I can communicate with it up to about 10 meters (not wifi). I'm hoping to improve my antenna design to increase the distance a bit.

    Secure? Nothing is really secure...

  • This would be an excellent opportunity for the government to establish a policy to improve information security for vital systems (if the government were at all inclined to establish beneficial policy... but just go with it for the hypothetical).

    The FDA could offer an open, public bounty for any demonstrable vulnerability in any medical device, with a sufficiently motivational amount (say, 2x the going black market rate for desirable vulnerabilities in other areas). Then they could establish a policy of fin

"We don't care. We don't have to. We're the Phone Company."

Working...