A few hours after Carson Block announced last Thursday that he was shorting St. Jude Medical Inc. stock over hacking risks to the company’s pacemakers and defibrillators, the e-mails started stacking up in Billy Rios’ and Jonathan Butts’ inboxes.
The two are top medical-device cybersecurity consultants, and they were inundated with inquiries from hedge funds, short sellers and other investors trying to make sense of the news — or profit themselves from the trade by Block’s firm, Muddy Waters Capital LLC. In total, Rios and Butts, who work together, said they’ve fielded more than 40 requests, with more coming in.
“This one blew up. This was like nothing else we’d seen,” said Butts, who, like the hackers working with Muddy Waters, researches ways to subvert safeguards designed to prevent intruders from breaking into medical devices. “This is almost like The Big Short — someone saw something that nobody else did.”
The trade was entirely novel. MedSec Holdings Inc., a security firm started by a former hedge fund manager, approached Muddy Waters with information about the device vulnerabilities. The investment firm took a short position in St. Jude, betting that the stock would fall when the public learned of MedSec’s discoveries. MedSec’s fees are tied to the performance of Muddy Waters’ investment.
Whether the short succeeds or not, the unique partnership between Muddy Waters and MedSec has jolted the investment community and created a model for a new way to make money in the market: Find a company or industry that is adopting internet-connected devices, check whether the gadgets are hackable, place your trades and publish the research.
As St. Jude and Muddy Waters debate the technical details of the vulnerabilities, investors are cautious. St. Jude stock is down about 5 percent from where it traded the day before Block announced his short position, cutting St. Jude’s market value by about $1.2 billion.
It has changed the landscape for professional hackers, too. Some think that technology companies may now pay bigger prizes to cybersecurity researchers who report bugs directly to them instead of teaming up with investment firms.
The unorthodox move has also put many Wall Street veterans in a bind as they try to determine what to do next. The issues involved are highly technical and analysts say it’s unclear whether the threat to patients is real or how the U.S. Food and Drug Administration, which regulates medical devices, will respond.
“I don’t know how the market can refute these claims without doing their own trials,” said Ira Gorsky, an investment analyst at Elevation LLC. “In my opinion the FDA has to do an investigation. We don’t know the evaluation process and we don’t know how an accusation like this gets adjudicated. It opens up a lot of questions.”
St. Jude said the claims are “false and misleading,” and the two sides have traded barbs over the past week about specifics of the technical claims. MedSec said it has submitted the findings to the FDA and will not publicly release attack code, which it said would prove the vulnerabilities but endanger patients.
This comes at a time when hedge fund returns have languished, adding extra urgency to the never-ending search for new strategies. Companies are also considering how to protect against such trading.
“Is this the first shot over the bow for the medtech companies? I have to imagine that the other companies who have wireless/internet-accessible technologies are taking a second look at their security systems,” said Tao Levy, managing director of medical devices equity research for Wedbush Securities Inc.
Levy doesn’t expect big funds to move money out of St. Jude because of Block’s trade. Some investors think it’s unlikely to threaten Abbott Laboratories’ $25 billion acquisition of St. Jude, which is expected to close this year, he said. Longer term, that may be less important than the creation of a new shorting strategy in an emerging field of technology that others will try to follow, he added.
Abbott said it will “continue to collaborate with St. Jude to advance the transaction.”
One prominent cybersecurity researcher said he was contacted by more than a dozen investment firms over LinkedIn over the past week, but didn’t respond because he believes MedSec and Muddy Waters’ approach is bad for the industry.
Another hacker, Nate Paul, co-founder of Knoxville, Tennessee-based security firm Moated, said he’s intrigued by the idea of hackers partnering with investment firms, because he has disclosed multiple medical-device vulnerabilities quietly and felt burned by the process. Paul is a Type 1 diabetic who hacked insulin pumps and reported his findings to companies and the government as part of his former job as a cybersecurity researcher at the U.S. Department of Energy’s Oak Ridge National Laboratory.
“In the vast majority of cases, this approach of private notification did not create the actions that I thought were warranted,” he said. “I thought that we needed more immediate and direct efforts to create security controls within vulnerable devices.”
Paul said Muddy Waters’ trade will likely put pressure on technology giants such as Google, Microsoft Corp., Facebook Inc. and Apple Inc. that provide “bug bounties” to offer bigger rewards to discourage hackers from working with stock speculators. Amounts currently range from a few hundred dollars to up to $200,000 — well short of what Muddy Waters and MedSec could make on the St. Jude trade.
“I always thought that the bug bounty programs didn’t offer people enough money for their work,” said Paul. “This is probably going to impact those programs for sure.”
Virta Laboratories Inc., a cybersecurity firm co-founded by Kevin Fu, a well-known medical device hacker, is charging $2,895 per hour to consult on the issue, according to a contract obtained by Bloomberg News. It is selling a white paper of its findings for $875.
Fu, declined to comment on the consulting fee, led a team at the University of Michigan that published a report criticizing MedSec’s findings. He said Virta received a “flood” of technical questions in response to the MedSec research and developed products and services to address the issues.
“We’re glad that the industry is developing interest in improving medical device security as we’ve urged for nearly a decade,” Fu wrote in an e-mail. Virta has no financial relationships with Muddy Waters, St. Jude, or MedSec, he added.
In Rios and Butts’ recent conversations, it was clear traders were blindsided and were scrambling to craft investment strategies based on the idea that Muddy Waters and MedSec had injected into the market.
“It’s been crazy — it’s gotten to the point where I can’t even read the e-mails anymore,” said Rios, a former U.S. Marine who runs his WhiteScope LLC consulting firm from Half Moon Bay, California. Butts, a former Air Force officer, runs QED Secure Solutions LLC from Dallas, and the two are business partners and collaborators.
The callers fell into two camps: those who were invested in St. Jude or Abbott and wanted reassurance about the safety of their bets, and those who wanted to follow Block and bet against St. Jude shares.
Butts said he could tell by the tone of the calls who fell into which camp. Both sides seem most concerned about the process and technical mechanisms the FDA will use to validate the claims, and whether the agency has the appetite to intervene in cases like these. But some are trying to evaluate the risk of more market volatility, not just in the case of St. Jude and medical devices in general, but also whether similar strategies could be used to disrupt mergers and acquisitions in other industries with cybersecurity risks, such as oil and gas, he said. Others are seeking clues about whether St. Jude might continue to be vulnerable, Butts said.
“Typically the folks who are invested in it, by the time we’re done, they’re a little down because I didn’t give them what they wanted,” Butts said. “There’s no immediate fix — there are definitely some things that have to take place to get this corrected, and it’s not all technical. This is months to years — that’s when you hear them kind of say, ’Ooh.’”
Butts said that he and Rios found something else surprising about all of the recent calls and e-mails. Despite years of their public advocacy on medical device cybersecurity, not one of the dozens of inquiries came from a medical device maker or hospital asking for help securing their devices.
“Isn’t that crazy?” Butts said. “I don’t know what to do with that information.”