This is not the way to get vulnerabilities fixed
Security startup MedSec and the financial house backing the biz have published new allegations of security flaws in pacemakers and defibrillators built by St Jude Medical – and again look set to profit from the disclosures in an unorthodox way.
In four swish videos, the MedSec team claims it exploited a debugging backdoor in the St Jude-built Merlin@home control unit so it could send commands wirelessly to a patient’s defibrillator. The team were able to hijack the the control unit after reverse-engineering its software, written in Java, and hooking a laptop to the unit via Ethernet.
MedSec claims it could do away with the Merlin@home all together, and wirelessly send orders to people’s devices in their chests from software-defined radio kit, after working out St Jude’s protocols.
Using the compromised terminal, the team says it managed to make the defibrillator vibrate constantly, turn off its heart monitoring software, or get it to administer a mild electric shock, which the actor narrating the video describes as “painful, and can be detrimental to a patient’s health if used in an unprescribed manner.”
MedSec’s CEO Justine Bone explained to The Register that the team had used a hacked MedSec device because it was the easiest route to show deficiencies in the device. By using old debugged developer code left on the device by the original designers, they were able to take control of it.
“We believe that this could be done from any wireless attack platform once someone had written out all protocols,” she said. “It’s going to be very hard to fix; you’d have to rewrite the RF communication protocols.”
Some of the attacks, particularly if used in conjunction with each other, could put lives at risk. But she acknowledged that in tests so far the maximum range of the defibrillator was limited to seven feet, so an attacker would have to be up close and personal.
Bone also said that the MedSec team hadn’t contacted St Jude Medical about the flaws before releasing the videos, and had instead gone to the Food and Drug Administration and the Department of Homeland Security. Bone said this was because St Jude doesn’t have a good record of sorting out flaws like this.
St Jude confirmed to The Register that MedSec hadn’t passed on any details about the flaws, and made the following statement:
“Muddy Waters and MedSec have once again made public unverified videos that purport to raise safety issues about the cybersecurity of St Jude Medical devices. This behavior continues to circumvent all forms of responsible disclosure related to cybersecurity and patient safety and continues to demonstrate total disregard for patients, physicians and the regulatory agencies who govern this industry.”
The company is also setting up a Cybersecurity Medical Advisory Board to give it tips on how to build more secure products. However, it appears as though it’s mostly staffed by doctors, who aren’t the best for finding sloppy software holes.
The whole sorry saga started in August when MedSec found what it claims were flaws in St Jude’s devices. Rather than go to the manufacturer and sort these out, the firm partnered with financial house Muddy Waters and shorted the stock before going public with the news.
The security firm now gets a payout based on how far St Jude’s stock price falls – the more the better. St Jude and others have disputed the claims, and St Jude is now suing those involved in the disclosures. People who have St Jude devices implanted have been left panicked and confused by the whole matter.
In the meantime, many in the security community are worried that this kind of disclosure is just going to increase fear, uncertainty, and doubt in an industry sector already bedeviled with it. If short selling becomes the norm, then headlines rather than fixes will become the goal, and it’s difficult to see how that benefits end users. ®