MedSec

History

2016

Independent experts confirmed vulnerabilities in St devices. Jude

On October 24, 2016 it became known that independent experts confirmed existence of vulnerabilities in the medical equipment of St. Jude Medical because of which devices can be potentially cracked by hackers, Reuters reports.

In August, 2016 Muddy Waters expressed the need of a withdrawal of pacemakers, the implanted defibrillators and heart therapeutic devices of resynchronization of the St trademark. Jude in connection with existence in these devices of vulnerabilities which can lead to failure in operation of the equipment. St. Jude submitted to federal court in the State of Minnesota (USA) the claim to Muddy Waters, having accused the company of deliberate distribution of false information.

Independent experts confirmed vulnerabilities in heart St devices. Jude

As the proof of the correctness Muddy Waters provided to court the 53-page report prepared by the Bishop Fox company specializing in questions of cyber security. Data of well-known specialists in the field of cryptography, cybercracking of computer systems, criminalistic examination and wireless communication and also opinion of specialists of MedSec Holdings research firm are provided in this report. All polled experts confirmed existence of vulnerabilities in the heart implanted St devices. Jude.

In St. Jude refrained from informative comments about providing Muddy Waters of the report on vulnerabilities in the medical equipment of the producer and only noted that the company will react to all actions of the opponent "via the relevant legal channels".

The American Food and Drug Administration (Food and Drug Administration, FDA) said that, having information which was obtained by October 24, 2016, department still recommends use of St devices. Jude patients according to instructions of their doctors.^[1]

Opening of vulnerabilities in products of St. Jude Medical

In August, 2016 it became known that the group of hackers found a method to crack pacemakers and defibrillators which are released by the large American producer of the medical equipment of St. Jude Medical. Instead of announcing the company vulnerabilities in its products, hackers addressed Carson Block, the head of Muddy Waters Capital investment firm, with the unprecedented commercial offer which will help them to earn together.

Hackers worked for MedSec. According to hackers, vulnerability of products of St. Jude Medical consists in lack of enciphering and an opportunity to be connected to pacemakers and defibrillators from not authorized devices. MedSec claims that anyone can be connected to the implants implanted in bodies of patients and cause their fatal failure. Tell about similar threats ten years, but still risk to which hundreds of thousands of people with implants of St. Jude Medical are exposed, was considered as rather theoretical. However hackers also compromised X-ray equipment, gas analyzers of blood and other technology in hospitals and nursing homes to obtain personal data of patients. Neither MedSec, nor Muddy Waters make public key technical details of cracking yet.

Pacemaker of St. Jude Medical

Hackers volunteered to publish the confirmed information that offices of St. Jude Medical are life-threatening patients. According to the plan of hackers, along with it Blok should occupy at the exchange in relation to the company "short position", i.e. undertake obligations for the forward transactions at the bear speculation. When dissemination of the compromising information strikes reputation of St. Jude Medical, and its actions will fall off, Blok will be able to earn from it. The fee of hackers will be that more, than stronger will fall in the share price.

If stocks of St. Jude Medical remained on site, losses would be suffered only by MedSec which spent funds for researches of pacemakers and defibrillators. But it did not occur – stocks dropped by 4.4% and began to be trading for $77.5. At that time in turnover at the exchange there were 25 million stocks of St. Jude Medical, thus at the bear speculation of stocks of St. Jude Medical the profit of "bears" could exceed $80 million.

Shortly before it, in April, 2016, the American chemical and pharmaceutical corporation Abbott Laboratories announced that it will redeem St. Jude Medical for $25 billion. The transaction should take place at the end of 2016. Dissemination of data on vulnerability of pacemakers and defibrillators could ruin these plans.

Carson Blok said in an interview of Bloomberg that in addition to "short position" (bear speculation) in relation to St. Jude Medical he took "long position" (goes a bull) in relation to Abbott Laboratories. It had to insure him from failure at any outcome of the case.

The information security expert Jacob Olcott, the vice president of the Boston cybersecurity company BitSight Technologies said that the transaction should draw attention of the U.S. Securities and Exchange Commission and cause some reaction from its party.

Incident was commented by Candace Steele Flippin, the vice president of St. Jude Medical for external communications. She said that personal data protection is the most important priority of the company and that St. Jude Medical performs the program for testing of information security of the equipment. What the program and what changes will be made to it after incident consists in, Flippin did not specify.

The compulsory provision of an ethic research of security – to give to manufacturing company the chance to liquidate vulnerabilities before they become widely known to the mass of potential criminals. But the CEO of MedSec Justine Bone said that he cannot go this way as St. Jude Medical in the past ignored similar warnings. Besides, there is a probability that the company will prosecute hackers to force them to be silent. MedSec and Muddy Waters refer to these investigations of activity of St. Jude Medical, undertaken in 2014. U.S. Department of Homeland Security.

According to Boun, MedSec addressed Muddy Waters as that already has an experience in involvement of large corporations to responsibility. Boun considers that St. Jude Medical could already make a lot of things for security of the devices – for example, to replace software – but the company did not take any steps.

Address to investment firm with the offer to make money on the detected vulnerabilities is very uncommon solution for hackers. Usually they monetize the found bugs by more hackneyed method, addressing directly the company which makes the compromised equipment or software. The company can pay them the fee – so-called bug bounty – and can not pay. But anyway it publicly recognizes achievement of hackers that creates them reputation and in the long term leads to employment on a perspective vacancy. However, many companies refuse to cooperate.

Earn one more method from vulnerabilities – to sell the code of the attack in the gray market to some government institution or the cyberweapon dealer. Such transaction brings up to several hundred thousands of dollars, and after it use of the attack gets out of the control of the hacker.

MedSec went on the most aggressive way which some disappointed information security specialists consider only correct. The company considers that only loss of the considerable amounts will force equipment manufacturers to draw really close attention to cyber defense of products. At the same time the startup consciously breaks the basic principles of an ethic research of security, and does it in the field of where a rate is human life^[2].

2015: Foundation of the company

MedSec was founded in 2015 by Robert Bryan who was the portfolio manager of investment consultation of Metaval Capital who also cooperated in this sphere with Cyrus Capital and Goldman Sachs companies.

Notes