Security researchers warn mixing vulnerability disclosures with stock market bets sets a troubling precedent that erodes confidence in the relationship between businesses and white hat hackers who help uncover threats.
Researchers are responding to the unprecedented partnership between security research firm MedSec and investment research outfit Muddy Waters LLC. Last week, Muddy Waters released a scathing report based on MedSec research calling into question the safety of pacemakers and heart monitoring equipment made by St. Jude Medical. Muddy Waters’ stated goal was to short St. Jude Medical’s stock and profit from MedSec’s research.
On Tuesday, Muddy Waters published a video that purported to demonstrate a hacker compromising a St. Jude Medical pacemaker. The same day St. Jude Medical rebutted the video and issued a statement reaffirming its devices safety.
“The video clearly shows a security feature, not a flaw. The pacemaker is actually functioning as designed. If attacked, our pacemakers place themselves into a “safe” mode to ensure the device continues to work, which further proves our commitment to safety and security,” said Phil Ebeling, vice president and chief technology officer at St. Jude Medical. in the statement.
Also on Tuesday, researchers at the University of Michigan raised questions over the veracity of Muddy Waters’ and MedSec’s claims. The researchers conducted their own research on St. Jude Medical’s pacemakers and said they were unable to reproduce the same malfunctions. University researchers said they came “to strikingly different conclusions.”
Meanwhile, security researchers told Threatpost that MedSec had entered uncharted territory when it comes to ethics around responsible disclosure because the company did not privately disclose vulnerabilities first to St. Jude Medical and stood to benefit from Muddy Waters’ short position.
“The disclosure of vulnerabilities in any technology should place the safeguard of consumers first, versus maximizing opportunistic personal gain,” said Alex Rice, CTO and cofounder of bug bounty company HackerOne.
Anthony James, CMO at TrapX Security, which specializes in healthcare security, described the partnership between MedSec and Muddy Waters as flirting with the ethical lines of research. “Obviously there was a bet placed. The bet was if MedSec did this, then there would be money gained,” James said. “I’ve never seen this before and it is close to being reckless.”
For MedSec’s part, CEO Justine Bone has publicly defended profiting from its partnership with Muddy Waters. “We acknowledge that our departure from traditional cyber security practices will draw criticism, but we believe this is the only way to spur St. Jude Medical into action,” she said last week in a statement. Bone declined to comment for this article.
Bone said last week that MedSec has incurred significant up-front costs associated with the St. Jude Medical research and will attempt to recoup those investments by receiving a percentage of any gains made from Muddy Waters’ shorting of the St. Jude stock. As of Wednesday St. Jude Medical’s share price was $77.82, down from a five-day high of $81.73, the day Muddy Waters published its report on the company.
Troy Hunt, creator of the cyber-breach service Have I Been Pwned? and author at Pluralsight said the precedent set by MedSec lays the groundwork for more alliances between research companies and profit-oriented investment firms.
“There is an assumption that a security researcher’s motives are pure,” Hunt said. “I would definitely question the motives of researchers who go down this road with a short-trader who is only interested in playing the market.”
Hunt believes the quid-pro-quo between MedSec and Muddy Waters could signal a new profit engine for cash-strapped research companies. “What would you as a researcher do if a short trader said let’s make a deal? The next big vulnerability you find, come to me first. I’ll take care of you financially,” Hunt said.
Veracode’s VP of research Chris Eng pointed out that it’s not unusual for hedge funds to dig up non-public but tradable information for a potential investment. He added this is just an extension of activities that already take place.
On the flip side of the argument Eng said, “This has a lot of potential to be a net positive. We’ve all seen how consumer products are often designed and built in insecure ways, and let’s face it, there has been virtually no improvement unless there’s a major financial or reputational impact in doing so.”
TrapX’s James said Muddy Waters’ report on St. Jude Medical devices was more bluster than groundbreaking. “That’s the problem with this type of relationship,” he said. The objective should be maximizing safety not attention.
Synack director of research Patrick Wardle said the brouhaha puts a bright spotlight on St. Jude Medical’s security and will likely push the company to remediate flaws faster.
“Does the ends justify the means? If I’m a customer with an implanted medical device that can be remotely affected by a hacker – I think the answer is a resounding ‘yes,'” Wardle said.
But Wardle concedes the jury is still out as to the long-term impact of this type of profit-motivated public disclosure on security.
Hunt points out short term financial gains versus working responsibly and constructively with a company is a no brainer. Echoing the sentiments of other researchers interviewed for this story, Hunt said, “this type of disclosure puts profits before safety and that rarely ends well.”