Trading in stock of medical device paused after hackers team with short seller

Enlarge / A St. Jude Medical cardiac defibrillator implant like the ones MedSec claimed to have found vulnerabilities in. (credit: St. Jude Medical)

Trading in the stock of medical device manufacturer St. Jude Medical was halted Friday afternoon after a dramatic drop in its value. That drop was triggered by news of alleged vulnerabilities in the company's cardiac care devices. The vulnerability was disclosed not in a report by the company but by security researchers partnered with Muddy Waters Capital, an investment firm that had "shorted" St. Jude's stock on the information in order to profit from a drop in the stock's value.

The researchers at the security firm MedSec chose to take this route to disclosure, MedSec CEO Justine Bone said, to "ensure that St. Jude Medical responds appropriately and with urgency." The partnership with a short seller is a fundamental departure from the established approach of responsible disclosure normally taken by researchers. But it also represents an approach that bypasses the sort of legal maneuverings and threats, suppression of information, and inaction that have been experienced by researchers who have discovered vulnerabilities in other products. Researchers who discovered a vulnerability in Volkswagen electronic engine locks, for example, were forced to withhold a paper for two years through a court injunction filed by the automaker in 2012.

Muddy Waters issued a report on Thursday claiming that it had demonstrated "two types of cyber attacks against STJ implantable cardiac devices: a 'crash' that causes cardiac devices to malfunction... and a battery drain attack that could be particularly harmful to device dependent users." The report claimed that the vulnerabilities had been proven in "multiple demonstrations evidencing how hollow STJ's device security is."

Read 7 remaining paragraphs | Comments

Congressman to FCC: Fix phone network flaw that allows eavesdropping

SS7 allows an attacker to use just a phone number to gain access to calls and texts to and from that phone—and can be used to undermine the security of WhatsApp and Telegram. (credit: Petr Kolář (modified by Ars))

A documented weakness in Signaling System 7 has been shown to allow widespread interception of phone calls and text messages (SS7 is the public switched telephone network signaling protocol used to set up and route phone calls; it also allows for things like phone number portability). This weakness in SS7 can even undermine the security of encrypted messaging systems such as WhatsApp and Telegram.

In an April segment of 60 Minutes, Democratic Congressman Ted Lieu of California allowed hackers to demonstrate how they could listen in on his calls. In light of the mass leak of congressional staffers' contact information by hackers, Congressman Lieu is now urging the Federal Communications Commission to take action quickly to fix the problem with SS7. The hackers are purportedly tied to Russian intelligence.

The vulnerability in SS7 was revealed in a presentation at the RSA security conference in March. It exploits the use of SS7 by cellular networks to handle billing and phone location data for call routing. The vulnerability is open to anyone with access to SS7 signaling. This includes not just telecommunications companies that have "roaming" relationships with a phone's primary carrier, but any state actor or hacker who has access to those companies' networks. Using SS7, an attacker could create a proxy to route calls and text messages. He could intercept them and record them without the knowledge of the people on either end of the communications. An attacker could also spoof texts and calls from a number.

Read 3 remaining paragraphs | Comments