Muddying the waters of infosec: Cyber upstart, investors short medical biz – then reveal bugs

Some sharks wear suits and ties


Analysis A team of security researchers tipped off an investment firm about alleged software vulnerabilities in life-preserving medical equipment in order to profit from the fallout.

Researchers at MedSec Holdings, a cybersecurity startup in Miami, Florida, believed they found numerous holes in pacemakers and defibrillators manufactured by St Jude Medical. Instead of telling the maker straightaway, the crew first went to investment house Muddy Waters Capital to make money off the situation.

MedSec offered Muddy Waters the chance to short sell the stock of St Jude Medical so that when details of the flaws are made public, MedSec and Muddy Waters could all profit. The more the shares fell, the higher MedSec's profits would be.

Muddy duly published details of the alleged flaws earlier today, on Thursday, and sent this doom-laden alert to investors:

Muddy Waters Capital is short St. Jude Medical, Inc. (STJ US). There is a strong possibility that close to half of STJ’s revenue is about to disappear for approximately two years. STJ’s pacemakers, ICDs, and CRTs might – and in our view, should – be recalled and remediated. (These devices collectively were 46% of STJ’s 2015 revenue.) Based on conversations with industry experts, we estimate remediation would take at least two years. Even lacking a recall, the product safety issues we present in this report offer unnecessary health risks and should receive serious notice among hospitals, physicians and cardiac patients.

We have seen demonstrations of two types of cyber attacks against STJ implantable cardiac devices (“Cardiac Devices”): a “crash” attack that causes Cardiac Devices to malfunction – including by apparently pacing at a potentially dangerous rate; and, a battery drain attack that could be particularly harmful to device dependent users. Despite having no background in cybersecurity, Muddy Waters has been able to replicate in-house key exploits that help to enable these attacks.

St Jude's share price fell 4.4 per cent to $77.50.

MedSec claims it used Muddy Waters in order to draw attention to insecurities in St Jude's products and to fund its research efforts admittedly in a rather unorthodox manner.

"We acknowledge that our departure from traditional cyber security practices will draw criticism, but we believe this is the only way to spur St Jude Medical into action," said MedSec's CEO Justine Bone on her company blog.

"Most importantly, we believe that both potential and existing patients have a right to know about their risks. Consumers need to start demanding transparency from these device manufacturers, especially as it applies to the quality and functionality of their products."

Alternatively they could have simply gone to the device maker, showed them the holes, and got them fixed. If they wanted to force the manufacturer into action, MedSec could have presented a paper at any one of the many security conferences – as car hackers Charlie Miller and Chris Valasek did in the Chrysler hacking case.

Instead MedSec decided to hook up with Muddy Waters and short the stock to earn a tidy profit. Carson Block, founder of Muddy Waters, took to Bloomberg TV to put the frighteners on folks about the severity of the alleged flaws, which could help depress the share price further and thus boost his profits.

"The nightmare scenario is somebody is able to launch a mass attack and cause these devices that are implanted to malfunction," he gushed.

But based on his own company's report today into the St Jude devices, that seems unlikely. The two attack vectors mentioned include a battery draining attack and one that could "crash" a pacemaker. However, both require the attacker to compromise the device's home monitoring unit or be nearby with a software-defined radio for about an hour. According to MedSec, you can send a particular sequence of signals to a pacemaker wirelessly, and it will eventually stop working one way or another, allegedly.

The report blames St Jude Medical for using off-the-shelf parts in its devices that any hacker could buy and analyze, and for not making a custom operating system with extra security. It estimates the faults will take years to rectify.

Dr Hemal Nayak, a cardiac electrophysiologist at the University of Chicago, recommends in the Muddy report that users turn off their home controllers and says he will not implant any of St Jude Medical's devices. Nayak just happens to be a board member of MedSec.

The report claims that it would be theoretically possible to carry out a widespread attack using St Jude Medical's network, but says MedSec didn't try it because that would be morally wrong.

Medical device hacking has been demonstrated for years now, so much so that's it's almost considered old hat. Nevertheless, it seems a cunning firm has found a way to make big bucks out of the issue. ®


Other stories you might like

  • Apple's latest security feature could literally save lives
    Cupertino is so sure of Lockdown Mode it's offering $2m to bug hunters to break it

    Apple's latest security feature won't be used by most of its customers, but those who need Lockdown Mode could find it to be a literal life saver.

    The functionality, coming with iOS/iPadOS 16 and macOS Ventura, dramatically shrinks an iDevice's attack surface by disabling many of its features. It's designed to protect the small number of Apple users who, "because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats, such as those from NSO Group and other private companies developing state-sponsored mercenary spyware," Apple said in a statement. 

    Lockdown, thus, effectively reduces the number of potential vulnerabilities spyware could exploit to compromise a device, cutting the possible routes into surveillance targets' kit.

    Continue reading
  • Has Intel gone too far with its Ohio fab 'delay' stunt?
    With construction unceremoniously underway, x86 giant may have overplayed its hand

    COMMENT The way Intel has been talking about the status of its $20 billion Ohio fab project, you would be forgiven if you assumed that construction on the Midwest mega-site has been delayed in light of Congress struggling to pass a large subsidies package that would support new American chip factories.

    When Intel delayed a groundbreaking ceremony for the Ohio manufacturing site two weeks ago out of frustration over the subsidies inaction, some headlines may have given you the impression the semiconductor giant was putting off construction entirely.

    However, an Intel spokesperson made it clear to The Register and others at the time that the start date for construction had not changed.

    Continue reading
  • Hive ransomware gang rapidly evolves with complex encryption, Rust code
    RaaS malware devs have been busy bees

    The Hive group, which has become one of the most prolific ransomware-as-a-service (RaaS) operators, has significantly overhauled its malware, including migrating the code to the Rust programming language and using a more complex file encryption process.

    Researchers at the Microsoft Threat Intelligence Center (MSTIC) uncovered the Hive variant while analyzing a change in the group's methods.

    "With its latest variant carrying several major upgrades, Hive also proves it's one of the fastest evolving ransomware families, exemplifying the continuously changing ransomware ecosystem," the researchers said in a write-up this week.

    Continue reading
  • What do you mean your exaflop is better than mine?
    Gaming the system was fine for a while, now it's time to get precise about precision

    Comment A multi-exaflop supercomputer the size of your mini-fridge? Sure, but read the fine print and you may discover those performance figures have been a bit … stretched.

    As more chipmakers bake support for 8-bit floating point (FP8) math into next-gen silicon, we can expect an era of increasingly wild AI performance claims that differ dramatically from the standard way of measuring large system performance, using double-precision 64-bit floating point or FP64.

    When vendors shout about exascale performance, be aware that some will use FP8 and some FP64, and it's important to know which is being used as a metric. A computer system that can achieve (say) 200 peta-FLOPS of FP64 is a much more powerful beast than a system capable of 200 peta-FLOPS at just FP8.

    Continue reading
  • Meta's AI translation breaks 200 language barrier
    Open source model improves translation of rarer spoken languages by 70%

    Meta's quest to translate underserved languages is marking its first victory with the open source release of a language model able to decipher 202 languages.

    Named after Meta's No Language Left Behind initiative and dubbed NLLB-200, the model is the first able to translate so many languages, according to its makers, all with the goal to improve translation for languages overlooked by similar projects. 

    "The vast majority of improvements made in machine translation in the last decades have been for high-resource languages," Meta researchers wrote in a paper [PDF]. "While machine translation continues to grow, the fruits it bears are unevenly distributed," they said. 

    Continue reading
  • Tracking cookies found in more than half of G20 government websites
    Sorry, conspiracy theorists, it's more likely sloppy webdev work rather than spying

    We expect a certain amount of cookie-based tracking on retail websites and social networks, but in some countries up to 90 percent of government sites have implemented trackers – and serve them seemingly without user consent. 

    A study evaluated more than 118,000 URLs of 5,500 government websites – think .gov, .gov.uk. .gov.au, .gc.ca, etc – hosted in the twenty largest global economies – the G20 – and discovered a surprising tracking cookie problem, even among countries party to Europe's GDPR and those who have their own data privacy regulations.

    On average, the study found, more than half of cookies created on G20 government websites were third-party cookies, meaning they were created by outside entities typically to collect information on the user. At least 10 percent, going up to 90 percent, come from known third party cookies or trackers, we're told.

    Continue reading

Biting the hand that feeds IT © 1998–2022