Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/2/2016
01:35 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

MedSec/Muddy Waters & The Future Of IoT Security

St. Jude vulnerability report could be test case for vulnerability disclosure.

The "responsible vulnerability disclosure" debate has lain relatively dormant for years but has just been rudely awoken. Last week, cybersecurity firm MedSec partnered with Muddy Waters to short-sell medical device company St. Jude Medical, releasing incomplete data about vulnerabilities in STM's pacemakers, implantable cardioverter-defibrillator devices, and the [email protected] monitoring device that communicates with them. The deal would enable MedSec to profit off of a drop in St. Jude's stock.

The event has raised new questions about what this means not just for vulnerability disclosure, but for the future of IoT security.

Was It Necessary? 

In a Bloomberg interview Aug. 25, MedSec CEO Justine Bone said: "...given St. Jude Medical's track history of brushing these security issues to one side and basically making no changes whatsoever to their technology -- despite having researchers call their attention to issues in the past, despite the DHS investigation, despite FDA requirements that cybersecurity be prioritized -- nothing has changed in the St. Jude Medical technology suite. So we did not feel confident that the most effective way forward was to approach St. Jude Medical."

Bone did not respond to a request for comment on this story. 

The pacemaker vulnerabilities first exposed by the late Barnaby Jack in 2012 were known to impact multiple pacemaker vendors, but the full details about those vulnerabilities and affected makes/models were never revealed, because of Jack's untimely death days before he was due to present his research at Black Hat in 2013.

There are no CVE numbers listed vulnerabilities in St. Jude Medical devices or systems. Documented US Food and Drug Administration (FDA) warning letters to St. Jude Medical do not include any references to cybersecurity. An FDA representative confirmed to Dark Reading, "To date, the FDA has not issued any warning letters or safety communications related to cybersecurity concerns specific to St. Jude Medical devices." 

St. Jude Medical also has a vulnerability disclosure program active on its website; several other medical device manufacturess have these programs now. The FDA, in cooperation with the Department of Homeland Security's (DHS) ICS-CERT, are the official handlers of cybersecurity matters related to medical devices, and have published guidance on cooperative vulnerability disclosure.

A MedSec/Muddy Waters representative says they sent the FDA a report about the St. Jude vulnerabilities and estimated that it was e-mailed the day before the public report was released. The FDA told Dark Reading that they received the report the same morning the public report was released, and that it was identical to the public report.

Therefore, if St. Jude is to improve their security, they must do it without the direct help of MedSec: MedSec researchers are the only ones known to have full details about the vulnerabilities. Others, however, are looking.

The FDA and the DHS are currently doing an official investigation. University of Michigan professor and director of the Archimedes Center for Medical Device Security Kevin Fu said this week, “We’re not saying the report is false. ... We’re saying it’s inconclusive because the evidence does not support their conclusions. We were able to generate the reported conditions without there being a security issue.” 

Used [email protected] monitoring devices for sale on eBay have been selling quickly on eBay.   

Despite the progress made in medical device cybersecurity, some researchers say moves like MedSec's are still necessary.

"From my experience, responsible disclosure does not always work," says IOActive security researcher Cesar Cerrudo, known for his work on satellites and other IoT devices. Cerrudo says, in fact, that responsible disclosure works less than half the time.  

Was it ethical?

There are two key questions here. Are there threats or costs to the patients that MedSec did not adequately consider? And is it ethically questionably for a security company to profit off a company's poor cybersecurity without helping them fix it?

As for financial costs, according to Healthcare Bluebook, a "fair price" for an insured patient in the United States to pay out-of-pocket to have a pacemaker inserted is $25,924; to have an ICD inserted is $64,278.  That "fair price" generally falls within the 30th to 55th percentile of what patients actually pay. So, depending upon insurance, region, and choice of hospital to have the procedure done, many patients pay more than that. If an implanted device is recalled, some insurance companies are now coercing device manufacturers to give partial credits back to patients.

Marie Moe is both a pacemaker cybersecurity researcher and a pacemaker patient who says she is hacking her own heart. She told Dark Reading in a statement, "As a patient I am angry, because the researchers did not seem to act in the interest of patient safety with their choice of disclosure strategy. They used fear mongering as a tactic to maximise their monetary profit. The lack of empathy is striking."

Moe polled other patients when speaking at a conference earlier this week. They were more "curious" than any other emotion when they heard the MedSec news, but none thought that MedSec's actions were ethical. Moe also polled her Twitter followers, whose responses were mixed; however the majority still felt it was unethical:

Josh Corman, director of the Atlantic Council's Cyber Statecraft Initiative, founding member of I Am The Cavalry, and member of the US Department of Health and Human Service's Health Care Industry Cybersecurity Task Force, points to one of I Am The Cavalry's positions on disclosure: "Those concerned with public safety and human life should take sufficient care to avoid inadvertently putting them at risk."

However, Cerrudo argues this: "I don't know why people get so mad because the didn't release the details." He points out that MedSec is getting criticized both for releasing too many details and not enough; and also that there is, as Bone said, no immediate threat to patients.

As for turning a profit, Cerrudo says, "Any company can do what they want with their research." He does point out, however, that IOActive would not follow MedSec's lead.

What's the lasting impact on IoT and medical device cybersecurity?

"This will make it harder," says Corman. He points to progress that has been made, like the vulnerability disclosure guidance, and the fact that a medical device was actually recalled because of a cybersecurity concern. Device manufacturers, government agencies, and cybersecurity researchers working together have made progress, but adversarial actions like MedSec's action against St. Jude will work against it.

"If you hurt relationships," he says, "you're going to continue to have unsafe medical devices."

"As a researcher I am worried about how this behaviour may make things worse for other researchers that do want to follow a coordinated disclosure process," says Moe. "The betrayal of trust can make it more difficult for us to succeed with a more cooperative and less noisy approach."

Cerrudo, though, says, depending upon how this case shakes out, it could have a positive effect. If St. Jude doesn't recover, other companies may see MedSec's action as a red flag and decide "'We need to be careful, because someone could affect our stock price.'"

Will other companies follow suit?

Cerrudo says that while IOActive won't follow this model, others might, depending upon how successful it is for MedSec. 

Just how much MedSec will earn or has earned is a big question mark. It all depends on the short sell Muddy Waters made. They bet x amount of money that St. Jude stock would drop y points by z date and agree to give MedSec x percent of the winnings. How much does that up to? The details of the short-sell and the agreement were not publicly disclosed and a Muddy Waters/MedSec representative did not share anymore.

It remains unclear whether a company could earn anywhere near the amount of money fetched in some of the priciest bug bounties without necessarily having to find and prove they found something as elusive as a remote code execution bug in iOS. If so, that could have an enormous impact on the zero-day market that has been elusive.

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16137
PUBLISHED: 2020-08-12
** UNSUPPORTED WHEN ASSIGNED ** A privilege escalation issue in Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers to reset the credentials for the SSH administrative console to arbitrary values. Note: We cannot prove this vulnerability exists. Out of an abundance of ...
CVE-2020-16138
PUBLISHED: 2020-08-12
** UNSUPPORTED WHEN ASSIGNED ** A denial-of-service issue in Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers to remotely disable the device until it is power cycled. Note: We cannot prove this vulnerability exists. Out of an abundance of caution, this CVE is being ...
CVE-2020-16139
PUBLISHED: 2020-08-12
** UNSUPPORTED WHEN ASSIGNED ** A denial-of-service in Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers restart the device remotely through sending specially crafted packets. Note: We cannot prove this vulnerability exists. Out of an abundance of caution, this CVE i...
CVE-2020-16186
PUBLISHED: 2020-08-12
A stored Cross-site scripting (XSS) vulnerability in Firco Continuity 6.2.0.0 allows remote unauthenticated attackers to inject arbitrary web script or HTML through the username field of the login page.
CVE-2020-8904
PUBLISHED: 2020-08-12
An arbitrary memory overwrite vulnerability in the trusted memory of Asylo exists in versions prior to 0.6.0. As the ecall_restore function fails to validate the range of the output_len pointer, an attacker can manipulate the tmp_output_len value and write to an arbitrary location in the trusted (en...