Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/11/2017
09:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Cardiac Implant Flaw Patched, But Holes Remain

A new chapter opens in the controversy surrounding security vulnerabilities disclosed in St. Jude Medical's cardiac implant devices.

S4x17 CONFERENCE – Miami, Fla. – After more than four months of fallout over a controversial vulnerability disclosure by security firm MedSec on flaws it found in St. Jude Medical's cardiac implant products, the medical device vendor this week issued a security patch and the US Federal Drug Administration (FDA) published an alert that confirms vulnerabilities in the implant devices.

Healthcare security product and services firm MedSec has been in the hot seat since it licensed its vulnerability research of St. Jude Medical's cardiac implant devices to a financial trading firm that used the information to short-sell the stock of the medical device manufacturer – a move the firm says was meant to put pressure on St. Jude to fix the vulnerabilities. The short-sell tack raised eyebrows as an unorthodox way for MedSec to make money off its research, but MedSec contends that researchers are usually compensated for their work.

St. Jude Medical, which was acquired by Abbott Laboratories this month for $25 billion, in September filed a lawsuit against MedSec and Muddy Waters, claiming that they engaged in a "willful and malicious scheme to manipulate the securities markets for their own financial windfall."

In an interview here today with Dark Reading, Justine Bone, CEO of MedSec, says while her firm welcomes the security patch issued by St. Jude, the update doesn't address the full suite of flaws unearthed by her firm, and she expects more security updates to come from the manufacturer. "They've still got these underlying problems with a lack of authentication in the RF protocol that allows [potentially rogue] commands," for example, she says. That could allow an attacker to issue commands to the patient's implant to remotely shock it, or disable or drain its battery, she says.

The FDA on Monday officially warned that pacemakers made by St. Jude Medical were vulnerable to hacking via the manufacturer's [email protected] Transmitter due to vulnerabilities in the device. St. Jude Medical, meanwhile, issued its patch, which is automatically applied to the devices when connected to the manufacturer's Merlin.net network.

"It's great to see St. Jude taking responsibility. They addressed and fixed one part of the problem, but a lot remain still untouched," Bone says. "These are critical problems."

St. Jude's patch addresses the vulnerability to a man-in-the-middle attack, Bone explains, via the Merlin infrastructure. "That was not our area of focus," she says, but jibes with authentication issues MedSec disclosed. Aside from authentication flaws, MedSec also found encryption and input validation vulnerabilities in its research, plus hardware flaws and exposed I/O ports.

Bone says MedSec decided not to disclose the flaws directly to St. Jude because it expected the firm would not remedy the issues. "I literally had people telling me they were shown the door" when trying to disclose bugs to St. Jude Medical, Bone says.

But MedSec didn't initially plan to bypass St. Jude. In an on-stage interview here with Digital Bond CEO Dale Peterson today, Bone said MedSec had planned to take the traditional disclosure route when it first embarked on a project to test various vendors' implant devices. "In the case of St. Jude, it was a very unusual situation … We were very confident that they would not acknowledge the vulnerabilities and not doing anything about it. We wanted to look for another route to hold St. Jude accountable, so we partnered with Muddy Waters," she said. "They [Muddy Waters] have a track history of holding large public companies accountable for other types of fraudulent behavior."

Even so, Bone says MedSec won't take the Muddy Waters-type route to disclosure again. "I have no intention of doing this again," she said. But she has no regrets, either: "It's an option that can be pursued" by researchers if needed, she said.

Peterson asked Bone about the ethics of profiting off the Muddy Waters report. Said Bone: "It's not unusual for researchers to be compensated for their work. It is unusual for a manufacturer to not act responsibly once it receives vulnerability" research, and profiting from faulty devices implanted in their patient customers, Bone said.

In an interview later with Dark Reading, Peterson says he believes MedSec wanted a way to monetize its research via the Muddy Waters disclosure. "I don't think there's anything wrong" with that, he says, but if a researcher decides to go that route, they should expect some "blowback."

MedSec handed the FDA and DHS ICS-CERT the vulnerability details when Muddy Waters published its report, Bone says. She says MedSec believes the combination of working with Muddy Waters, the FDA and DHS, helped prod St. Jude Medical to respond. "If we had only engaged with the FDA, for example, I'm not sure if St. Jude would have put the resources into understanding and responding to these issues," she says.

But critics say MedSec's bold disclosure method via Muddy Waters complicates an already fragile relationship between white-hat hackers and consumer device vendors still new to the bug disclosure scene. If interfacing directly with the device vendor isn't an option, researchers should work via the FDA and/or the ICS-CERT, says Josh Corman, director of the cyber statecraft initiative at the Atlantic Council.

"I can respect this might be a difficult company to deal with," Corman says. But then it's best to go through DHS or the FDA, he says. The FDA is the regulator of medical devices, so "St. Jude can't just blow off the FDA," he says.

Corman points out that St. Jude Medical is also one of the few medical device makers that has a vulnerability disclosure program in place. "In general, if a company has a disclosure program, I think it's our responsibility to use it."

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17364
PUBLISHED: 2020-08-05
USVN (aka User-friendly SVN) before 1.0.9 allows XSS via SVN logs.
CVE-2020-4481
PUBLISHED: 2020-08-05
IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 7.0.3.0, and 7.0.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181848.
CVE-2020-5608
PUBLISHED: 2020-08-05
CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to bypass authentication and send altered c...
CVE-2020-5609
PUBLISHED: 2020-08-05
Directory traversal vulnerability in CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to cre...
CVE-2020-8607
PUBLISHED: 2020-08-05
An input validation vulnerability found in multiple Trend Micro products utilizing a particular version of a specific rootkit protection driver could allow an attacker in user-mode with administrator permissions to abuse the driver to modify a kernel address that may cause a system crash or potentia...