Home Tags Muddy Waters

Tag: Muddy Waters

Be still my beating heart Months after steadfastly denying its heart implants have serious security vulnerabilities, St Jude – now owned by Abbott Laboratories – has issued a patch. The company's press release is here. Last year, a pentester and an investor pulled a now-notorious double act on St Jude, shorting its stock before publishing the vulnerabilities. That first received a furious denial from St Jude, which called the claims “false and misleading”.
It followed that up by launching legal action against MedSec (the pentester) and Muddy Waters (the investor). However, the Food and Drug Administration (FDA) took things seriously enough to launch an investigation, and meanwhile in October an independent assessment of St Jude's security confirmed the vulnerabilities. At the time, there was speculation that the vulnerabilities might spoil Abbott's acquisition of St Jude, but the transaction completed on January 4, and it's under the Abbott name that the fixes are being issued. The FDA says while there's no evidence that the vulnerabilities have been exploited, they are real: “these vulnerabilities, if exploited, could allow an unauthorized user … to remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home Transmitter.

The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.” St Jude is now offering a patch for Merlin@home, and the FDA says it's validated the patch and notes that “the health benefits to patients from continued use of the device outweigh the cybersecurity risks”. ® Sponsored: Customer Identity and Access Management
Guidance advises manufacturers on how to continue monitoring the devices once they are sold. The US Food and Drug Administration (FDA) has issued guidelines on post-market cybersecurity monitoring of medical devices as a follow-up to the 2014 pre-market guidance, Information Security Media Group (ISMG) reports. The FDA's guidelines are voluntary, and outline steps for manufacturers to continue ensuring cybersecurity of the devices after marketing and improving critical infrastructure cybersecurity via the National Institute of Standards and Technology standards. The guidance comes in the wake of the recent controversy surrounding allegations by Muddy Waters Capital and MedSec Holdings that pacemaker devices manufactured by St. Jude Medical had cybersecurity flaws. "Central to these recommendations is FDA's belief that medical device manufacturers should implement a structured and comprehensive program to manage cybersecurity risks," says FDA’s Suzanne Schwartz, adding the agency will continue to work on providing further advisories when needed. Kevin Fu of Virta Laboratories said the guidance "responds to many of the medical device security issues highlighted in reports by the National Academies and the NIST Information Security and Privacy Advisory Board over the last six years." Read more here. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio More Insights
Bishop Fox says Merlin@Home vulns are real and deadly St Jude Medical has suffered another setback in its lawsuit against Muddy Waters and security company MedSec. St Jude launched a defamation action against Muddy Waters and MedSec after their August revelation of vulnerabilities in its devices. Rather than following what's by now an industry-accepted disclosure process (contact the manufacturer, and give them time to make a fix before publishing), MedSec partnered with Muddy Waters to short St Jude's stock. Last week, MedSec published videos demonstrating its attacks, but St Jude dismissed the videos as “unverified claims”. In a new court filing, an independent security research might make “unverified” harder to sustain. MedSec has posted this document (PDF) to its Website (it doesn't yet appear in The Register's search of the case's court records on the PACER system). The report, written by Carl Livitt, a partner in security and penetration testing firm Bishop Fox, replicated first-hand “many of the attacks” first made public in August. In particular, Livitt says Bishop Fox found the St Jude Merlin@Home system could be exploited to interfere with pacemaker function, stop ICDs (implantable cardioverter defibrillators) from delivering therapy, drain device batteries, and get administrative access to the systems. The report also says there is, as Muddy Waters/MedSec asserted, a backdoor in St Jude's wireless protocol, and that it would be “relatively easy” for a programmer to find. Bishop Fox was able to take over systems from a distance of about three metres (10 feet). The Register has contacted St Jude for comment. ®
This is not the way to get vulnerabilities fixed Security startup MedSec and the financial house backing the biz have published new allegations of security flaws in pacemakers and defibrillators built by St Jude Medical – and again look set to profit from the disclosures in an unorthodox way. In four swish videos, the MedSec team claims it exploited a debugging backdoor in the St Jude-built Merlin@home control unit so it could send commands wirelessly to a patient's defibrillator. The team were able to hijack the the control unit after reverse-engineering its software, written in Java, and hooking a laptop to the unit via Ethernet. MedSec claims it could do away with the Merlin@home all together, and wirelessly send orders to people's devices in their chests from software-defined radio kit, after working out St Jude's protocols. Using the compromised terminal, the team says it managed to make the defibrillator vibrate constantly, turn off its heart monitoring software, or get it to administer a mild electric shock, which the actor narrating the video describes as "painful, and can be detrimental to a patient's health if used in an unprescribed manner." MedSec's CEO Justine Bone explained to The Register that the team had used a hacked MedSec device because it was the easiest route to show deficiencies in the device. By using old debugged developer code left on the device by the original designers, they were able to take control of it. "We believe that this could be done from any wireless attack platform once someone had written out all protocols," she said. "It's going to be very hard to fix; you'd have to rewrite the RF communication protocols." Some of the attacks, particularly if used in conjunction with each other, could put lives at risk. But she acknowledged that in tests so far the maximum range of the defibrillator was limited to seven feet, so an attacker would have to be up close and personal. Bone also said that the MedSec team hadn't contacted St Jude Medical about the flaws before releasing the videos, and had instead gone to the Food and Drug Administration and the Department of Homeland Security. Bone said this was because St Jude doesn't have a good record of sorting out flaws like this. St Jude confirmed to The Register that MedSec hadn't passed on any details about the flaws, and made the following statement: "Muddy Waters and MedSec have once again made public unverified videos that purport to raise safety issues about the cybersecurity of St Jude Medical devices. This behavior continues to circumvent all forms of responsible disclosure related to cybersecurity and patient safety and continues to demonstrate total disregard for patients, physicians and the regulatory agencies who govern this industry." The company is also setting up a Cybersecurity Medical Advisory Board to give it tips on how to build more secure products. However, it appears as though it's mostly staffed by doctors, who aren't the best for finding sloppy software holes. The whole sorry saga started in August when MedSec found what it claims were flaws in St Jude's devices. Rather than go to the manufacturer and sort these out, the firm partnered with financial house Muddy Waters and shorted the stock before going public with the news. The security firm now gets a payout based on how far St Jude's stock price falls – the more the better. St Jude and others have disputed the claims, and St Jude is now suing those involved in the disclosures. People who have St Jude devices implanted have been left panicked and confused by the whole matter. In the meantime, many in the security community are worried that this kind of disclosure is just going to increase fear, uncertainty, and doubt in an industry sector already bedeviled with it. If short selling becomes the norm, then headlines rather than fixes will become the goal, and it's difficult to see how that benefits end users. ®
Defibrillator security saga will go to court Medical device maker St Jude has filed suit against a security company that reported security flaws in its products as part of a short-sale financial scheme. The medical supplier says that it has sued both security firm MedSec and researcher Muddy Waters, as well as three other individuals it says falsely reported serious vulnerabilities in its pacemakers and defibrillators.

They then made money by short-selling the stock when the news broke. The charges include false advertising, false statements, conspiracy, and market manipulation. "We felt this lawsuit was the best course of action to make sure those looking to profit by trying to frighten patients and caregivers, and by circumventing appropriate and established channels for raising cybersecurity concerns, do not use this avenue to do so again,” St Jude president and CEO Michael Rousseau said in announcing the suit. "We believe this lawsuit is critical to the entire medical device ecosystem – from our patients who have our life saving devices, to the physicians and caregivers who care for them, to the responsible security researchers who help improve security, to the long-term St Jude Medical investors who incurred losses due to false accusations as part of a wrongful profit-making scheme." Muddy Waters and MedSec made headlines last month when they reported discovering vulnerabilities in St Jude pacemaker and defibrillator devices that, if exploited, could have allegedly posed threats to the health of patients. Rather than disclose the flaws to the manufacturer, the researchers instead went to an investment house and turned a tidy profit by short-selling St Jude stock after its price dropped on the release of the news. Shortly after the report surfaced, however, St Jude disputed the vulnerability reports and alleged the entire scheme had been made up to manipulate its stock price. "Our top priority is to reassure patients, caregivers and physicians who use our life-saving devices that we are committed to the security of our products, and to ensure patients and their doctors maintain ongoing access to the proven clinical benefits of remote monitoring," said St Jude vice president and chief medical officer Mark Carlson. "We decided to take this action because of the irresponsible manner in which these groups have acted." Experts at the University of Michigan also poured doubt on one claim by MedSec that St Jude's equipment is remotely brickable. ®
No conclusive evidence of bricked devices, say uni experts Researchers at the University of Michigan (U-M) have poured doubt on one claim by MedSec that St Jude Medical's implanted pacemakers and defibrillators are remotely breakable. Last week MedSec went public with a report saying that life-giving devices sold by St Jude Medical could be wirelessly compromised by hackers – who could either brick the vital equipment or empty their batteries of charge by sending malicious signals from afar. Rather than try to get the issue fixed with the manufacturer, MedSec partnered with investment firm Muddy Waters Capital to short St Jude's stock.

This allowed the pair to cash in when they made their vulnerability findings public and the healthcare company's share price fell. St Jude called the damning MedSec dossier "false and misleading." Now U-M says some of the security shortcomings detailed in the MedSec report aren't as serious as first feared.

The uni researchers attempted to recreate MedSec's attacks and found that in one case so far, the evidence the security firm presented is flawed. "We're not saying the report is false. We're saying it's inconclusive because the evidence does not support their conclusions. We were able to generate the reported conditions without there being a security issue," said Kevin Fu, U-M associate professor of computer science and engineering and director of the Archimedes Center for Medical Device Security. "To the armchair engineer it may look startling, but to a clinician it just means you didn't plug it in.
In layman's terms, it's like claiming that hackers took over your computer, but then later discovering that you simply forgot to plug in your keyboard." MedSec's report includes a photo of error messages on a wireless monitoring station for a defibrillator as evidence that a radio-based attack successfully crashed the implanted widget. When the station's wand is waved over the defibrillator, fault alerts are shown that suggest the gadget has died because there's no live information coming from it.

The dossier reads: In many cases, the Crash Attack made the Cardiac Device completely unresponsive to interrogations from Merlin@home devices and Merlin programmers.
It was therefore impossible to tell whether, and how the Cardiac Devices, are functioning. MedSec strongly suspects they were in many cases “bricked” – i.e., made to be non-functional.
It is likely physicians would explant a device that did not respond to the programmer. In some cases, a Cardiac Device subjected to a Crash Attack was still able to communicate with the programmer, and the information displayed was alarming. According to U-M's team, though, the implanted pacemaker or defibrillators can and will continue operating as normal even if readings to the monitoring station are disrupted. In other words, there's no conclusive evidence that the pacemaker or defibrillator actually stopped working after the radio communications were jammed.
It's more of an annoyance for whoever is using the monitoring terminal than a potentially lethal situation. "We believe the pacemaker is acting correctly," Fu said. Youtube Video "It's obviously not an attempt to recreate the attack," a Muddy Waters spokesperson told The Register. MedSec declined to comment on the matter. In El Reg's view, if the communications are temporarily disrupted it's hard to see how this is a super serious issue. On the other hand, if the radio jamming stops all further communication from the implant to a monitoring terminal, that's going to potentially require surgery to fix, which is not optimal. However, bear in mind, there is no hard evidence that a device is "bricked" – merely MedSec's strong hunch that this has happened. That's what all of last week's screaming headlines were based on. "While medical device manufacturers must improve the security of their products, claiming the sky is falling is counterproductive," Fu noted. "Healthcare cybersecurity is about safety and risk management, and patients who are prescribed a medical device are far safer with the device than without it." The U-M researchers are still going through the MedSec report, so there's room for more discoveries or revisions to their conclusions.
In the meantime, the whole case has raised concerns among many in the computer security industry that the startup's unorthodox tactics may have needlessly terrified patients using St Jude's products. "It's my personal view that ethically it's really hard to understand why people would have to go through this," Sam Rehman, CTO of application security vendor Arxan Technologies, told The Reg. "The whole point of the security industry is to build trust by protecting systems." ® Sponsored: 2016 Cyberthreat defense report
Hackable pacemaker report 'false and misleading' The manufacturer of pacemakers and defibrillators has slammed a report by security researchers accusing it of putting customers lives at risk. On Thursday security startup MedSec claimed that St. Jude Medical pacemakers and defibrillators were easily hackable and that hackers could either run down the batteries in patent's implanted medical devises or cause them to crash completely. Rather than inform the company, MedSec did a deal with a Wall Street firm to short-sell St. Jude stock and then go public with the news. "While we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading," the company said."St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions." The MedSec team claimed that the medical devices could be easily hacked, based on hardware the firm had bought on eBay and code analysis.

The CEO of Muddy Waters, the Wall Street firm it did a deal with to short St Jude stock, claimed that this could lead to a "nightmare scenario" of a "mass attack" against people with the hardware in their bodies. Under the terms of the deal MedSec would get paid by Muddy Waters based on how far the stock fell in price.

The security firm didn't inform St. Jude about the flaws it claimed to have found before cashing in. A day later - presumably after the short sellers had made their profit - St. Jude has responded, pointing out that many of the claims made against their products can't be justified.

The firm hasn't said if it is complaining to the Securities and Exchange Commission about the issue, but such a move seems likely. MedSec's two key claims were that a hacking attack could either disrupt pacemaker functions or run the battery powering the life-saving devices from 50 feet away.

This is false the manufacturer claims. "Once the device is implanted into a patient, wireless communication has an approximate 7-foot range.

This brings into question the entire testing methodology that has been used as the basis for the Muddy Waters Capital and MedSec report," St Jude said in a statement. In the described scenario it would require hundreds of hours of continuous and sustained “pings” within this distance.

To put it plainly, a patient would need to remain immobile for days on end and the hacker would need to be within seven feet of the patient." The implanted devices are controlled by a Merlin@home device that controls the functions of the hardware. MedSec claimed that this was easily hackable after buying second-hand kit on eBay, but St Jude points out that such kit has to receive security updates in order to work. Responsible disclosure rules - that most of the security industry follows - would have meant contacting the manufacturer before going public.
Instead the head of MedSec, who happens to be former head of risk management at Bloomberg, leaked the story to her former employer and reaped the benefits. El Reg will be following up on this story but the damage is done – Wall Street has reaped its profits and expect more FUD stories in the future.

After all, serious money is at stake. ® Sponsored: 2016 Cyberthreat defense report
Enlarge / A St. Jude Medical cardiac defibrillator implant like the ones MedSec claimed to have found vulnerabilities in.St. Jude Medical reader comments 33 Share this story Trading in the stock of medical device manufacturer St. Jude Medical was halted Friday afternoon after a dramatic drop in its value.

That drop was triggered by news of alleged vulnerabilities in the company's cardiac care devices.

The vulnerability was disclosed not in a report by the company but by security researchers partnered with Muddy Waters Capital, an investment firm that had "shorted" St. Jude's stock on the information in order to profit from a drop in the stock's value. The researchers at the security firm MedSec chose to take this route to disclosure, MedSec CEO Justine Bone said, to "ensure that St. Jude Medical responds appropriately and with urgency." The partnership with a short seller is a fundamental departure from the established approach of responsible disclosure normally taken by researchers.

But it also represents an approach that bypasses the sort of legal maneuverings and threats, suppression of information, and inaction that have been experienced by researchers who have discovered vulnerabilities in other products. Researchers who discovered a vulnerability in Volkswagen electronic engine locks, for example, were forced to withhold a paper for two years through a court injunction filed by the automaker in 2012. Muddy Waters issued a report on Thursday claiming that it had demonstrated "two types of cyber attacks against STJ implantable cardiac devices: a 'crash' that causes cardiac devices to malfunction... and a battery drain attack that could be particularly harmful to device dependent users." The report claimed that the vulnerabilities had been proven in "multiple demonstrations evidencing how hollow STJ's device security is." In a blog post, Bone said that St. Jude "has stood out as lagging far behind" in addressing vulnerabilities in its products. He continues: For years [St. Jude Medical] has continued to put patients at risk by profiting from the sale of devices and a device eco-system which has little to no built-in security. We believe St. Jude Medical has known about security problems in their products since at least 2013, but it is apparent from the lack of security protections or mechanisms in their product line that very little action has been taken.
In order to help address patient safety, we have chosen to depart from standard cyber security operating procedures in order to bring this to the public’s attention and to ensure that St. Jude Medical responds appropriately and with urgency. The partnership with Muddy Waters was to help the researchers "deliver this message," Bone said. Bone wrote that she believed that it was time "to re-think the way cyber security is managed." She acknowledged that partnering with a short seller would draw criticism, "but we believe this is the only way to spur St. Jude Medical into action," she explained. "Most importantly, we believe that both potential and existing patients have a right to know about their risks." After the report was released, St. Jude's stock fell 10 percent on Thursday and an additional 2 percent today before trading was halted.
In a statement published today, a St. Jude spokesperson said, "We have examined the allegations made by Capital and MedSec on August 25, 2016 regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading." The vulnerabilities applied to older versions of the "Merlin@home" devices that drive the cardiac implants that are not capable of being automatically patched, the spokesperson said.

The company claims that newer versions of the devices have already been updated.

Additionally, the spokesperson dismissed the battery drainage vulnerability as "misleading" because MedSec claimed it could be executed from 50 feet away. "This is not possible since once the device is implanted in a patient, wireless communication has an approximate 7-foot range," the spokesperson insisted, and the attack would also require "hundreds of hours of continuous and sustained pings" of the implant by an attacker.

Furthermore, St. Jude claimed that the screen shots used to demonstrate the "crash" attack actually show the device working normally. Trading in St. Jude stock resumed this afternoon and had recovered some of its losses, CNBC reports.
Some sharks wear suits and ties Analysis A team of security researchers tipped off an investment firm about software vulnerabilities in life-preserving medical equipment in order to profit from the fallout. Researchers at MedSec Holdings, a cybersecurity startup in Miami, Florida, found numerous holes in pacemakers and defibrillators manufactured by St Jude Medical.
Instead of telling the maker straightaway, the crew first went to investment house Muddy Waters Capital to make money off the situation. MedSec offered Muddy Waters the chance to short sell the stock of St Jude Medical so that when details of the flaws are made public, MedSec and Muddy Waters could all profit.

The more the shares fell, the higher MedSec's profits would be. Muddy duly published details of the flaws earlier today, on Thursday, and sent this doom-laden alert to investors: Muddy Waters Capital is short St. Jude Medical, Inc. (STJ US).

There is a strong possibility that close to half of STJ’s revenue is about to disappear for approximately two years.
STJ’s pacemakers, ICDs, and CRTs might – and in our view, should – be recalled and remediated. (These devices collectively were 46% of STJ’s 2015 revenue.) Based on conversations with industry experts, we estimate remediation would take at least two years.

Even lacking a recall, the product safety issues we present in this report offer unnecessary health risks and should receive serious notice among hospitals, physicians and cardiac patients. We have seen demonstrations of two types of cyber attacks against STJ implantable cardiac devices (“Cardiac Devices”): a “crash” attack that causes Cardiac Devices to malfunction – including by apparently pacing at a potentially dangerous rate; and, a battery drain attack that could be particularly harmful to device dependent users.

Despite having no background in cybersecurity, Muddy Waters has been able to replicate in-house key exploits that help to enable these attacks. St Jude's share price fell 4.4 per cent to $77.50. MedSec claims it used Muddy Waters in order to draw attention to insecurities in St Jude's products and to fund its research efforts admittedly in a rather unorthodox manner. "We acknowledge that our departure from traditional cyber security practices will draw criticism, but we believe this is the only way to spur St Jude Medical into action," said MedSec's CEO Justine Bone on her company blog. "Most importantly, we believe that both potential and existing patients have a right to know about their risks.

Consumers need to start demanding transparency from these device manufacturers, especially as it applies to the quality and functionality of their products." Alternatively they could have simply gone to the device maker, showed them the holes, and got them fixed.
If they wanted to force the manufacturer into action, MedSec could have presented a paper at any one of the many security conferences – as car hackers Charlie Miller and Chris Valasek did in the Chrysler hacking case. Instead MedSec decided to hook up with Muddy Waters and short the stock to earn a tidy profit.

Carson Block, founder of Muddy Waters, took to Bloomberg TV to put the frighteners on folks about the severity of the flaws, which could help depress the share price further and thus boost his profits. "The nightmare scenario is somebody is able to launch a mass attack and cause these devices that are implanted to malfunction," he gushed. But based on his own company's report today into the St Jude devices, that seems unlikely.

The two attack vectors mentioned include a battery draining attack and one that could crash a pacemaker, but both require the attacker to get access to the device's home control unit for about an hour. The report blames St Jude Medical for using off-the-shelf parts in its devices that any hacker could buy and analyze, and for not making a custom operating system with extra security.
It estimates the faults will take years to rectify. Dr Hemal Nayak, a cardiac electrophysiologist at the University of Chicago, recommends in the Muddy report that users turn off their home controllers and says he will not implant any of St Jude Medical's devices. Nayak just happens to be a board member of MedSec. The report claims that it would be theoretically possible to carry out a widespread attack using St Jude Medical's network, but says MedSec didn't try it because that would be morally wrong.
So it seems they publicized that some flaws were merely present instead and cashed in on short selling. Medical device hacking has been demonstrated for years now, so much so that's it's almost considered old hat. Nevertheless, it seems a cunning firm has found a way to make big bucks out of the issue. ® Sponsored: 2016 Cyberthreat defense report