16 comments

[ 3.1 ms ] story [ 40.8 ms ] thread
"The critical firmware flaws came to light last year in an advisory that was sponsored by an investment that was betting against the stock of St. Jude, which was formally acquired by Abbott Laboratories in January. In the two days following the disclosure by investment firm Muddy Waters, St. Jude's stock price fell 12 percent. At the time, St. Jude issued a statement saying the Muddy Waters report was "false and misleading.""

This reminds me of the plot of Casino Royal where the villains short the stock of an airline / airplane manufacturer, then attempt to blow up the plane they are showing off to force the stock to sink. That is some questionable ethics, then again the investment firm is called "Muddy Waters" haha.

If the report is really "false and misleading" it's probably illegal. But I'm not sure why Abbott would be doing a recall if that were the case.
(comment deleted)
Hello, this is Margin calling, might want to do that recall anywho sleep well!
Muddy Waters is a famous research shop that specializes in exposing fraud or fishy accounting. They can spend years on a single thesis. They have tanked many companies who went out of their way to mislead investors.
Would love more details, since shorting a stock when you know about a critical product vulnerability sounds like "material nonpublic information" to me which would make this insider trading.
The article was very light on details.

I wonder if this is more along the line of finding an exposed database in the wild, or tracking down OEM suppliers and buying samples.

It's hard to love people doing this, because they could have disclosed this privately, but I think it _is_ fair to impose a high cost on not ensuring security, and this is one way of doing that.

Insider trading only applies if the information comes from within the company.

You're free to discover flaws in products and trade ahead of announcing them.

I wonder if there is a movie where a medical device company sells hundreds of thousands of remotely accessible life critical devices but doesn't really give a shit about security.
No movie needed, I think.
I am blown away by the fact that in a country of 300M people (~230M adults) there are 0.5M people with the same model of pacemaker!

I would have guessed the total number needing a pacemaker at all would be less than this rate (1/500).

(comment deleted)
It's a big and very active business.

In 2009 alone, doctors implanted ~225,000 pacemakers in the US: https://www.ncbi.nlm.nih.gov/pubmed/21707667

Germany had the highest reported rate of new implants for any country in the study, at almost 1/1000 just in 2009. In the US that would be 300,000 per year just in new devices, and based on the study's aggregate reporting we could guess another 1/3 for replacement devices - 400,000 new devices per year as a high guess.

There's probably better info in the article but I don't have journal access and don't want to spend $6 to get it for this article.

Hi, your pacemaker has been encrypted. It will continue to set your heartrate to this message in morse-code- unless you transfer 3 Bitcoins to the following wallet:

For more precise instructions on how to transfer Bitcoin, visit your local ER.