The one-two punch of incompetent IT administrators and botched connected device security has resulted in an unsurprising spike in ransomeware attacks
across the medical industry. And while the rise in easily hacked "smart" TVs
, tea kettles
, and kids toys
is superficially funny in the consumer internet of things space, it's less amusing when you're a patient relying on poorly secured pace makers and essential medical equipment. But much like the internet of things space these devices are not only poorly secured, they're supported by companies that aren't very good at releasing timely security updates.
Case in point: a team of hackers working for cybersecurity startup MedSec found a bevy of flaws in medical devices sold by St. Jude Medical Inc, ranging from a lack of overall encryption to vulnerabilities letting unauthorized devices communicate with the company's pacemakers and defibrillators. And while we've talked about the threat of hackable pacemakers
for more than a decade, hackers are increasingly worming their way into poorly secured radiology equipment, blood gas analyzers and other hospital and nursing home equipment to steal data for identity theft, giving the threat an added dimension.
According to MedSec Chief Executive Officer Justine Bone
, St. Jude has a long history of implementing sub-standard security, and then doing little to nothing once these vulnerabilities are pointed out:
"As far as we can tell, St. Jude Medical has done absolutely nothing to even meet minimum cybersecurity standards, in comparison to the other manufacturers we looked at that have made efforts," Bone said. There are steps St. Jude can take relatively quickly to protect patients, including changing the programming of implanted pacemakers and defibrillators through a method that would involve a doctor’s visit, she said.
So MedSec tried something relatively unique. Historically, many hackers and security firms either contact companies to alert them to vulnerabilities, or try to sell the not-yet-public vulnerabilities to corporate espionage and security firms or government agencies, who then happily exploit any impacted, unpatched systems (in this case, with potentially fatal results). But MedSec did something notably different. It reached out to the Muddy Waters Capital LLC investment firm, suggesting a partnership to short sell St. Jude stock before reporting the vulnerabilities to the FDA. Under the deal, MedSec makes more money the further shares fall.
The report has been posted to the Muddy Waters website
(pdf), with both companies standing to profit should the company's stock price take a tumble (which has already begun, with the stock dropping 12% before trading being halted). The timing is trouble for St. Jude, which is in the process of finalizing a potential $25 billion acquisition by Abbott Laboratories. MedSec, for what it's worth, says they only took this route because they believed St. Jude would either ignore the vulnerabilities or engage in legal hostilities:
"We were worried that they would sweep this under the rug or we would find ourselves in some sort of a hush litigation situation where patients were unaware of the risks they were facing," said Bone, an experienced security researcher and the former head of risk management for Bloomberg LP, the parent of Bloomberg News. "We partnered with Muddy Waters because they have a great history of holding large corporations accountable."
Unsurprisingly, the decision to punish St. Jude in this fashion immediately triggered an ethics debate in the hacker and security community. Some were quick to argue that failing to update necessary medical equipment was the real ethics violation. Some believe both St. Jude and Muddy Waters are being intentionally misleading for the sake of profit and marketing
, and others are solely appalled by the short selling tactic itself. In the latter category sits security researcher Kenn White, who called the moved little more than "pure naked greed":
Not too surprisingly, St. Jude was quick to issue a statement
claiming MedSEC used "flawed test methodology on outdated software," demonstrating "lack of understanding of medical device technology.":
"We have examined the allegations made by Capital and MedSec on August 25, 2016 regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading. Our top priority is to reassure our patients, caregivers and physicians that our devices are secure and to ensure ongoing access to the proven clinical benefits of remote monitoring. St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions."
MedSec says it found two 0 day exploits opening pacemakers to attack, either by draining the battery or crashing the device software (both require being relatively close to the target). But the group also found that the company's pacemakers often use no encryption nor authentication over wireless, and the devices all use the same password to connect to the St Jude network, opening the door to a reverse engineering hack on the network at large. MedSec and Muddy Waters continue to insist the company's history indicates it would not have fixed the vulnerabilities in a timely fashion using traditional reporting methods and bounties.
Regardless of which side you believe is being more or less self-serving, punishing companies for their security incompetence using the only language they truly understand adds a massive and interesting new wrinkle in the never-ending debate over hacking ethics, and the over-arching quest to bring some accountability to companies still treating life-protecting security like an annoying afterthought.