Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/2/2016
01:35 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

MedSec/Muddy Waters & The Future Of IoT Security

St. Jude vulnerability report could be test case for vulnerability disclosure.

The "responsible vulnerability disclosure" debate has lain relatively dormant for years but has just been rudely awoken. Last week, cybersecurity firm MedSec partnered with Muddy Waters to short-sell medical device company St. Jude Medical, releasing incomplete data about vulnerabilities in STM's pacemakers, implantable cardioverter-defibrillator devices, and the [email protected] monitoring device that communicates with them. The deal would enable MedSec to profit off of a drop in St. Jude's stock.

The event has raised new questions about what this means not just for vulnerability disclosure, but for the future of IoT security.

Was It Necessary? 

In a Bloomberg interview Aug. 25, MedSec CEO Justine Bone said: "...given St. Jude Medical's track history of brushing these security issues to one side and basically making no changes whatsoever to their technology -- despite having researchers call their attention to issues in the past, despite the DHS investigation, despite FDA requirements that cybersecurity be prioritized -- nothing has changed in the St. Jude Medical technology suite. So we did not feel confident that the most effective way forward was to approach St. Jude Medical."

Bone did not respond to a request for comment on this story. 

The pacemaker vulnerabilities first exposed by the late Barnaby Jack in 2012 were known to impact multiple pacemaker vendors, but the full details about those vulnerabilities and affected makes/models were never revealed, because of Jack's untimely death days before he was due to present his research at Black Hat in 2013.

There are no CVE numbers listed vulnerabilities in St. Jude Medical devices or systems. Documented US Food and Drug Administration (FDA) warning letters to St. Jude Medical do not include any references to cybersecurity. An FDA representative confirmed to Dark Reading, "To date, the FDA has not issued any warning letters or safety communications related to cybersecurity concerns specific to St. Jude Medical devices." 

St. Jude Medical also has a vulnerability disclosure program active on its website; several other medical device manufacturess have these programs now. The FDA, in cooperation with the Department of Homeland Security's (DHS) ICS-CERT, are the official handlers of cybersecurity matters related to medical devices, and have published guidance on cooperative vulnerability disclosure.

A MedSec/Muddy Waters representative says they sent the FDA a report about the St. Jude vulnerabilities and estimated that it was e-mailed the day before the public report was released. The FDA told Dark Reading that they received the report the same morning the public report was released, and that it was identical to the public report.

Therefore, if St. Jude is to improve their security, they must do it without the direct help of MedSec: MedSec researchers are the only ones known to have full details about the vulnerabilities. Others, however, are looking.

The FDA and the DHS are currently doing an official investigation. University of Michigan professor and director of the Archimedes Center for Medical Device Security Kevin Fu said this week, “We’re not saying the report is false. ... We’re saying it’s inconclusive because the evidence does not support their conclusions. We were able to generate the reported conditions without there being a security issue.” 

Used [email protected] monitoring devices for sale on eBay have been selling quickly on eBay.   

Despite the progress made in medical device cybersecurity, some researchers say moves like MedSec's are still necessary.

"From my experience, responsible disclosure does not always work," says IOActive security researcher Cesar Cerrudo, known for his work on satellites and other IoT devices. Cerrudo says, in fact, that responsible disclosure works less than half the time.  

Was it ethical?

There are two key questions here. Are there threats or costs to the patients that MedSec did not adequately consider? And is it ethically questionably for a security company to profit off a company's poor cybersecurity without helping them fix it?

As for financial costs, according to Healthcare Bluebook, a "fair price" for an insured patient in the United States to pay out-of-pocket to have a pacemaker inserted is $25,924; to have an ICD inserted is $64,278.  That "fair price" generally falls within the 30th to 55th percentile of what patients actually pay. So, depending upon insurance, region, and choice of hospital to have the procedure done, many patients pay more than that. If an implanted device is recalled, some insurance companies are now coercing device manufacturers to give partial credits back to patients.

Marie Moe is both a pacemaker cybersecurity researcher and a pacemaker patient who says she is hacking her own heart. She told Dark Reading in a statement, "As a patient I am angry, because the researchers did not seem to act in the interest of patient safety with their choice of disclosure strategy. They used fear mongering as a tactic to maximise their monetary profit. The lack of empathy is striking."

Moe polled other patients when speaking at a conference earlier this week. They were more "curious" than any other emotion when they heard the MedSec news, but none thought that MedSec's actions were ethical. Moe also polled her Twitter followers, whose responses were mixed; however the majority still felt it was unethical:

Josh Corman, director of the Atlantic Council's Cyber Statecraft Initiative, founding member of I Am The Cavalry, and member of the US Department of Health and Human Service's Health Care Industry Cybersecurity Task Force, points to one of I Am The Cavalry's positions on disclosure: "Those concerned with public safety and human life should take sufficient care to avoid inadvertently putting them at risk."

However, Cerrudo argues this: "I don't know why people get so mad because the didn't release the details." He points out that MedSec is getting criticized both for releasing too many details and not enough; and also that there is, as Bone said, no immediate threat to patients.

As for turning a profit, Cerrudo says, "Any company can do what they want with their research." He does point out, however, that IOActive would not follow MedSec's lead.

What's the lasting impact on IoT and medical device cybersecurity?

"This will make it harder," says Corman. He points to progress that has been made, like the vulnerability disclosure guidance, and the fact that a medical device was actually recalled because of a cybersecurity concern. Device manufacturers, government agencies, and cybersecurity researchers working together have made progress, but adversarial actions like MedSec's action against St. Jude will work against it.

"If you hurt relationships," he says, "you're going to continue to have unsafe medical devices."

"As a researcher I am worried about how this behaviour may make things worse for other researchers that do want to follow a coordinated disclosure process," says Moe. "The betrayal of trust can make it more difficult for us to succeed with a more cooperative and less noisy approach."

Cerrudo, though, says, depending upon how this case shakes out, it could have a positive effect. If St. Jude doesn't recover, other companies may see MedSec's action as a red flag and decide "'We need to be careful, because someone could affect our stock price.'"

Will other companies follow suit?

Cerrudo says that while IOActive won't follow this model, others might, depending upon how successful it is for MedSec. 

Just how much MedSec will earn or has earned is a big question mark. It all depends on the short sell Muddy Waters made. They bet x amount of money that St. Jude stock would drop y points by z date and agree to give MedSec x percent of the winnings. How much does that up to? The details of the short-sell and the agreement were not publicly disclosed and a Muddy Waters/MedSec representative did not share anymore.

It remains unclear whether a company could earn anywhere near the amount of money fetched in some of the priciest bug bounties without necessarily having to find and prove they found something as elusive as a remote code execution bug in iOS. If so, that could have an enormous impact on the zero-day market that has been elusive.

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27734
PUBLISHED: 2021-05-17
Hirschmann HiOS 07.1.01, 07.1.02, and 08.1.00 through 08.5.xx and HiSecOS 03.3.00 through 03.5.01 allow remote attackers to change the credentials of existing users.
CVE-2021-27342
PUBLISHED: 2021-05-17
An authentication brute-force protection mechanism bypass in telnetd in D-Link Router model DIR-842 firmware version 3.0.2 allows a remote attacker to circumvent the anti-brute-force cool-down delay period via a timing-based side-channel attack
CVE-2021-31727
PUBLISHED: 2021-05-17
Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware 2.74.0.150 where IOCTL's 0x80002014, 0x80002018 expose unrestricted disk read/write capabilities respectively. A non-privileged process can open a handle to \.\ZemanaAntiMalware, register with the driver using IOCTL 0x8000201...
CVE-2021-31728
PUBLISHED: 2021-05-17
Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware 2.74.0.150 allows a non-privileged process to open a handle to \.\ZemanaAntiMalware, register itself with the driver by sending IOCTL 0x80002010, allocate executable memory using a flaw in IOCTL 0x80002040, install a hook wit...
CVE-2021-32402
PUBLISHED: 2021-05-17
Intelbras Router RF 301K Firmware 1.1.2 is vulnerable to Cross Site Request Forgery (CSRF) due to lack of validation and insecure configurations in inputs and modules.