This is an interesting case where security researchers claimed they have found serious vulnerability in medical device and earned money when the company stock value dropped.
This is an interesting case where security researchers claimed they have found serious vulnerability in medical device and earned money when the company stock value dropped.
2 Comments
Tomi Engdahl says:
Michael Mimoso / Threatpost:
St. Jude Medical files suit against MedSec and Muddy Waters, says MedSec made false claims about security of its products and conspired to manipulate stock
St. Jude Alleges False Claims, Stock Manipulation in Suit Against Med Sec, Muddy Waters
https://threatpost.com/st-jude-alleges-false-claims-stock-manipulation-in-suit-against-med-sec-muddy-waters/120399/
St. Jude Medical yesterday filed a lawsuit alleging that investment research firm Muddy Waters and healthcare security research company Med Sec made false claims in a report focused on the security of St. Jude products. The report released Aug. 25 warned of potentially catastrophic cybersecurity vulnerabilities in St. Jude pacemakers, defibrillators and other medical devices. The research was conducted by Med Sec as part of an 18-month study on medical device security. The controversial twist to this story is Med Sec’s disclosure to Muddy Waters rather than to the device manufacturer, and Muddy Waters taking a short position on St. Jude stock.
Over-arching the entire saga is that Abbott Labs, a global healthcare company, is in the process of acquiring St. Jude Medical for $25 billion. It is unknown whether the report or lawsuit will impact the acquisition. What is known is that Muddy Waters and Med Sec stand to profit from the shorting of St. Jude stock.
The potential for profiting from Muddy Waters’ shorting of the stock, Bone said, is an attempt to recoup its costs for conducting the research.
St. Jude has from the beginning denied the claims made by Muddy Waters in its report.
The tact taken by Muddy Waters and Med Sec also flies against more than a decade of debate and work on developing vulnerability disclosure guidelines that can be used by white hat researchers and affected technology providers. Companies have gone to great lengths to establish processes by which researchers can safely report bugs and have them remediated. Bug bounties are the new norm as well, with many technology companies building out private and public programs that allow researchers to coordinate the reporting of bugs and receive rewards for their work. At the recent Black Hat conference, for example, Apple announced the start of a private bug bounty for iOS with six-figure payouts for the most critical of bugs.
“This type of disclosure puts profits before safety and that rarely ends well,” said researcher Troy Hunt, interviewed by Threatpost last week.
See more at: St. Jude Alleges False Claims, Stock Manipulation in Suit Against Med Sec, Muddy Waters https://wp.me/p3AjUX-vjV
Tomi Engdahl says:
Medical Equipment Company Sues Firm That Traded on Its Hackable Bugs
In the long history of controversies over hackers who find and publicize hackable bugs, the case of St. Jude Medical and the finance firm Muddy Waters may be one of the messiest. Last month Muddy Waters and the security research firm MedSec teamed up to expose what they described as flaws in St. Judge’s pacemakers and defibrillators that could put patients’ lives in danger, potentially bricking the medical implants. And they went a step further: Muddy Waters also short-sold St. Jude’s stock, then profited from the resulting drop after the expose went public. Now St. Jude is firing back with a lawsuit accusing both the hackers and traders of illegal and damaging behavior like market manipulation and false accusations. Meanwhile, researchers at the University of Michigan published a rebuttal to MedSec prior to the lawsuit, claiming to refute some of the vulnerabilities MedSec found.
Source: https://www.wired.com/2016/09/security-news-week-google-ups-ante-web-encryption/