st. jude medical – Techdirt (original) (raw)

FDA, Homeland Security Issue First Ever Recall, Warnings About Flimsy Pacemaker Security

from the your-heart-attack-has-an-IP-address dept

We’ve well established that the internet of things (IOT) market is a large, stinky dumpster fire when it comes to privacy and security. But the same problems that plague your easily hacked thermostat or e-mail password leaking refrigerator take on a decidedly darker tone when we’re talking about your health. The health industry’s outdated IT systems are a major reason for a startling rise in ransomware attacks at many hospitals, but this same level of security and privacy apathy also extends to medical and surgical equipment — and integral medical implants like pacemakers.

After a decade of warnings about dubious pacemaker security, researchers at Medsec earlier this year discovered that a line of pacemakers manufactured by St. Jude Medical were vulnerable to attacks that could kill the owner. The researchers claimed that St. Jude had a history of doing the bare minimum to secure their products, and did little to nothing in response to previous warnings about device security. St. Jude Medical’s first response was an outright denial, followed by a lawsuit against MedSec for “trying to frighten patients and caregivers.”

Ultimately, the FDA was forced to issue its first ever warning about the security of a pacemaker earlier this year, though the agency somewhat downplayed the potentially fatal ramifications:

“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.”

Inappropriate, indeed. St. Jude Medical has since been acquired by Abbott Laboratories, and back in April the FDA sent a warning to Abbott that it needed to design a comprehensive plan to fix the flaw (first revealed in August of last year) within fifteen days. That was followed up with a formal, voluntary recall notice issued by the FDA regarding the impacted pacemaker, believed to be the first such warning of its kind. In its warning, the FDA urged the estimated 400,000 owners of this pacemaker model to schedule a physician appointment for a firmware update, lest they find themselves quite literally hacked.

The FDA’s alert was also joined by a warning by the Department of Homeland Security outlining the problem as such:

“The pacemaker?s authentication algorithm, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications….The pacemakers do not restrict or limit the number of correctly formatted ?RF wake-up? commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life.”

Comforting. Many security experts have been quick to point out that this may be the turning point at which companies finally begin taking these sorts of problems more seriously. But the lengths it took to bring us to this point are downright comical, involving MedSec going so far as to at one point short St. Jude stock to bring necessary attention to the problem. Hopefully, the entire saga is a shot over the bow that other security-apathetic medical impact manufacturers will wisely heed.

Filed Under: cybersecurity, dhs, fda, pacemakers, security
Companies: st. jude medical

After Lawsuits And Denial, Pacemaker Vendor Finally Admits Its Product Is Hackable

from the digital-wetworks dept

Thu, Jan 12th 2017 08:33am - Karl Bode

So we’ve noted how the lack of security in the Internet of Things is a bit of a problem. Initially, many of us thought that easily hacked smart tea kettles and smart refrigerators were kind of cute. Then we realized that this same, paper-mache grade security is also apparently embedded in everything from automobiles to medical gear. Then, more recently, we realized that all of these poorly-secured devices were being quickly compromised and used in botnets to help fuel massive, historically unprecedented, new DDoS attacks. The warnings were there all along, we just chose to ignore them.

For more than a decade people had been warning that the security on pacemakers simply wasn’t very good. Despite these warnings, many of these devices are still vulnerable to attack. This week the FDA was forced to issue a warning, noting that security vulnerabilities in the St. Jude Medical implantable cardiac device and corresponding Merlin@home Transmitter could be a serious problem. It’s notable as it’s the first time we’ve seen the government publicly acknowledge this specific type of threat.

The St. Jude Medical Merlin@home Transmitter uses a home monitor to transmit and receive RF signals wirelessly to the pacemaker. But the FDA found that this transmitter was vulnerable to attack, with the press release politely tap dancing around the fact that said vulnerability could be used to kill:

“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.”

According to the FDA, they have no evidence of anybody dying because of the vulnerability yet. They’re also quick to note that St. Jude Medical issued a patch on January 9 that fixes this vulnerability. St. Jude Medical was quick to issue a statement patting itself on the back for patching its systems against “highly unlikely medical device cyber risks”:

“There has been a great deal of attention on medical device security and it?s critical that the entire industry continually enhances and improves security while bringing advanced care to patients,? said cyber security expert Ann Barron DiCamillo, former director of U.S. CERT and advisor to St. Jude Medical?s Cyber Security Medical Advisory Board. ?Today?s announcement is another demonstration that St. Jude Medical takes cyber security seriously and is continuously reassessing and updating its devices and systems, as appropriate.”

Granted St. Jude Medical had previously received a bit of a nudge, and this isn’t the first time the company’s name has appeared in lights for the wrong reason. Security startup MedSec resorted to some creative tactics last year when it began shorting St. Jude Medical stock to try and highlight the company’s abysmal security, after the traditional vulnerability reporting process failed to get the company’s attention. At the time, MedSec Chief Executive Officer Justine Bone stated that the company consistently did little to nothing when vulnerabilities were reported:

“As far as we can tell, St. Jude Medical has done absolutely nothing to even meet minimum cybersecurity standards, in comparison to the other manufacturers we looked at that have made efforts,” Bone said. There are steps St. Jude can take relatively quickly to protect patients, including changing the programming of implanted pacemakers and defibrillators through a method that would involve a doctor?s visit, she said.”

St. Jude Medical’s first response was an outright denial, followed by a lawsuit against MedSec for “trying to frighten patients and caregivers.” Fast forward a few months, and St. Jude Medical is now trying to hold itself up as the poster child for proactive security and accountability. But the reality is that publicly shaming companies that can’t be bothered to prioritize user security (even when human lives are at risk) appears to pay notable dividends.

Filed Under: fda, iot, merlin@home, pacemaker, security
Companies: st. jude medical

Security Startup MedSec Shorts St. Jude Medical Stock To Punish It For Flimsy Pacemaker Security

from the broken-workarounds-for-a-broken-system dept

Wed, Aug 31st 2016 06:34am - Karl Bode

The one-two punch of incompetent IT administrators and botched connected device security has resulted in an unsurprising spike in ransomeware attacks across the medical industry. And while the rise in easily hacked “smart” TVs, tea kettles, and kids toys is superficially funny in the consumer internet of things space, it’s less amusing when you’re a patient relying on poorly secured pace makers and essential medical equipment. But much like the internet of things space these devices are not only poorly secured, they’re supported by companies that aren’t very good at releasing timely security updates.

Case in point: a team of hackers working for cybersecurity startup MedSec found a bevy of flaws in medical devices sold by St. Jude Medical Inc, ranging from a lack of overall encryption to vulnerabilities letting unauthorized devices communicate with the company’s pacemakers and defibrillators. And while we’ve talked about the threat of hackable pacemakers for more than a decade, hackers are increasingly worming their way into poorly secured radiology equipment, blood gas analyzers and other hospital and nursing home equipment to steal data for identity theft, giving the threat an added dimension.

According to MedSec Chief Executive Officer Justine Bone, St. Jude has a long history of implementing sub-standard security, and then doing little to nothing once these vulnerabilities are pointed out:

“As far as we can tell, St. Jude Medical has done absolutely nothing to even meet minimum cybersecurity standards, in comparison to the other manufacturers we looked at that have made efforts,” Bone said. There are steps St. Jude can take relatively quickly to protect patients, including changing the programming of implanted pacemakers and defibrillators through a method that would involve a doctor?s visit, she said.

So MedSec tried something relatively unique. Historically, many hackers and security firms either contact companies to alert them to vulnerabilities, or try to sell the not-yet-public vulnerabilities to corporate espionage and security firms or government agencies, who then happily exploit any impacted, unpatched systems (in this case, with potentially fatal results). But MedSec did something notably different. It reached out to the Muddy Waters Capital LLC investment firm, suggesting a partnership to short sell St. Jude stock before reporting the vulnerabilities to the FDA. Under the deal, MedSec makes more money the further shares fall.

The report has been posted to the Muddy Waters website (pdf), with both companies standing to profit should the company’s stock price take a tumble (which has already begun, with the stock dropping 12% before trading being halted). The timing is trouble for St. Jude, which is in the process of finalizing a potential $25 billion acquisition by Abbott Laboratories. MedSec, for what it’s worth, says they only took this route because they believed St. Jude would either ignore the vulnerabilities or engage in legal hostilities:

“We were worried that they would sweep this under the rug or we would find ourselves in some sort of a hush litigation situation where patients were unaware of the risks they were facing,” said Bone, an experienced security researcher and the former head of risk management for Bloomberg LP, the parent of Bloomberg News. “We partnered with Muddy Waters because they have a great history of holding large corporations accountable.”

Unsurprisingly, the decision to punish St. Jude in this fashion immediately triggered an ethics debate in the hacker and security community. Some were quick to argue that failing to update necessary medical equipment was the real ethics violation. Some believe both St. Jude and Muddy Waters are being intentionally misleading for the sake of profit and marketing, and others are solely appalled by the short selling tactic itself. In the latter category sits security researcher Kenn White, who called the moved little more than “pure naked greed”:

Not too surprisingly, St. Jude was quick to issue a statement claiming MedSEC used “flawed test methodology on outdated software,” demonstrating “lack of understanding of medical device technology.”:

“We have examined the allegations made by Capital and MedSec on August 25, 2016 regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading. Our top priority is to reassure our patients, caregivers and physicians that our devices are secure and to ensure ongoing access to the proven clinical benefits of remote monitoring. St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions.”

MedSec says it found two 0 day exploits opening pacemakers to attack, either by draining the battery or crashing the device software (both require being relatively close to the target). But the group also found that the company’s pacemakers often use no encryption nor authentication over wireless, and the devices all use the same password to connect to the St Jude network, opening the door to a reverse engineering hack on the network at large. MedSec and Muddy Waters continue to insist the company’s history indicates it would not have fixed the vulnerabilities in a timely fashion using traditional reporting methods and bounties.

Regardless of which side you believe is being more or less self-serving, punishing companies for their security incompetence using the only language they truly understand adds a massive and interesting new wrinkle in the never-ending debate over hacking ethics, and the over-arching quest to bring some accountability to companies still treating life-protecting security like an annoying afterthought.

Filed Under: cybersecurity, internet of things, pacemaker, security, short selling
Companies: medsec, muddy waters, st. jude medical