Trading in the stock of medical device manufacturer St. Jude Medical was halted Friday afternoon after a dramatic drop in its value. That drop was triggered by news of alleged vulnerabilities in the company’s cardiac care devices. The vulnerability was disclosed not in a report by the company but by security researchers partnered with Muddy Waters Capital, an investment firm that had “shorted” St. Jude’s stock on the information in order to profit from a drop in the stock’s value.
The researchers at the security firm MedSec chose to take this route to disclosure, MedSec CEO Justine Bone said, to “ensure that St. Jude Medical responds appropriately and with urgency.” The partnership with a short-seller is a fundamental departure from the established approach of responsible disclosure normally taken by researchers. But it also represents an approach that bypasses the sort of legal maneuverings and threats, suppression of information, and inaction that have been experienced by researchers who have discovered vulnerabilities in other products. Researchers who discovered a vulnerability in Volkswagen electronic engine locks, for example, were forced to withhold a paper for two years through a court injunction filed by the automaker in 2012.
Muddy Waters issued a report on Thursday claiming that it had demonstrated “two types of cyber attacks against STJ implantable cardiac devices: a ‘crash’ that causes cardiac devices to malfunction… and a battery drain attack that could be particularly harmful to device dependent users.” The report claimed that the vulnerabilities had been proven in “multiple demonstrations evidencing how hollow STJ’s device security is.”