The stock of medical device manufacturer St. Jude Medical plunged on Thursday after the release of a report describing serious cybersecurity vulnerabilities in the company’s products.
MedSec, a cybersecurity company specializing in medical devices, and investment research firm Muddy Waters teamed up against St. Jude Medical in an unprecedented move, accusing the vendor of grossly neglecting cybersecurity and urging it to recall its products.
MedSec, a company launched in 2015, said it had analyzed the products of four major medical device vendors and determined that St. Jude devices are by far the most vulnerable.
The security firm’s analysis focused on St. Jude cardiac devices implanted in patients (e.g. pacemakers and implantable cardioverter defibrillators), the programmers used by physicians to configure and monitor the implantable devices, the vendor’s Merlin.net network, and Merlin@home transmitters. The Merlin@home product, which is deployed in the patient’s home, collects health data from the implanted cardiac device over radio frequencies and sends it to the Merlin.net network over a phone, broadband or cellular connection.
An analysis conducted by MedSec on second-hand Merlin@home devices and programmers obtained from a licensed physician allegedly revealed the existence of some serious problems related to the lack of proper encryption and authentication. The researchers said these flaws expose the devices and their users to attacks that can be conducted even by low-level hackers.
MedSec said it developed proof-of-concept exploits that demonstrated how remote attackers can cause the cardiac devices to malfunction or drain their battery at a fast rate (i.e. drained in two weeks if the attack is launched overnight).
Full disclosure as part of an investment strategy
St. Jude does have a responsible disclosure program. The company has set up a dedicated email address where researchers can report vulnerabilities found in its products.
However, MedSec did not report its findings to St. Jude and instead contacted Muddy Waters, which engaged the security firm as consultants, licensed its research, and offered it compensation based on its investment profits.
The report released by Muddy Waters and MedSec says there is a strong possibility that close to half of St. Jude’s revenue will disappear for roughly two years due to these security issues. The investment firm pointed out that the affected products, which accounted for 46 percent of St. Jude’s revenue for 2015, should be recalled and remediated, a process that could take two years.
Muddy Waters, which is known for its offensive tactics, made a bet that St. Jude Medical (STJ.N) stock would fall due to these problems, a short-selling strategy can be highly profitable for both Muddy Waters and MedSec.
MedSec admitted that the decision to bring its findings to Muddy Waters is beneficial for its business, but claimed that the main goal was to raise awareness. The security firm’s CEO told Bloomberg in an interview that they were concerned that St. Jude “would sweep this under the rug” if approached directly.
“We acknowledge that our departure from traditional cyber security practices will draw criticism, but we believe this is the only way to spur St Jude Medical into action. Most importantly, we believe that both potential and existing patients have a right to know about their risks,” Justine Bone, CEO of MedSec, said on the company’s blog.
MedSec’s report contains limited technical information on the vulnerabilities, making it difficult to verify their claims. While the report focuses on worst-case scenarios, its authors do note that they are “unaware of any imminent threat to patient safety.”
St. Jude said the accusations were “absolutely untrue.” The company claims to perform security testing on its medical devices and network equipment on an ongoing basis.
“There are several layers of security measures in place,” Phil Ebeling, Chief Technology Officer at St. Jude, told SecurityWeek. “We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin@ home and on all our devices.”
While the company’s stock dropped by more than 8 percent on Thursday after the report was published, it bounced back by 3 percent by the end of the day after it denied the allegations.
Billy Rios, a security researcher who has dedicated a lot of his time to analyzing medical devices, has refrained from taking sides, but provided some advice for manufacturers.
“The entire responsible disclosure debate has been going on for decades. There are some great arguments for both sides of the debate. I would suggest device manufacturers accept that different researchers may take different approaches for how they disclose their research. These approaches may not always have the best interest of the manufacturer in mind,” Rios told SecurityWeek.
“With that said, the best approach for manufacturers here is not to try to control the researchers, but to focus on building robust security engineering programs and processes within their organizations. A manufacturers security strategy should not be based on the goodwill of strangers,” the expert added.
St. Jude was one of the several companies whose products were investigated in 2014 by the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) as part of an investigation into medical devices and hospital equipment.
TrapX, a firm that specializes in deception-based security technologies, pointed out that, at a high level, St. Jude’s pacemakers are essentially IoT devices.
“There are a number of reasons why IoT security has been so challenging; because of device size, many devices can’t acc
ommodate an operating system or processing power to support a layered security solution; oftentimes a device’s ecosystem is left open so it can communicate with other devices, which increases the number of potential threat vectors; or the device’s configuration is updated so frequently, there’s no way for the security platform to keep up with the constant changes,” Anthony James, TrapX vice president of product strategy, told SecurityWeek.
In order to better secure such devices, TrapX advises manufacturers to conduct a design review of all OEM components, develop a strategy for rapidly integrating software and hardware fixes, avoid allowing USB booting in production devices, cryptographically sign the software, secure project management interfaces, and conduct security testing, preferably using a third-party firm.
*Updated with comments from Billy Rios and TrapX