The "responsible vulnerability disclosure" debate has lain relatively dormant for years but has just been rudely awoken. Last week, cybersecurity firm MedSec partnered with Muddy Waters to short-sell medical device company St. Jude Medical, releasing incomplete data about vulnerabilities in STM's pacemakers, implantable cardioverter-defibrillator devices, and the [email protected] monitoring device that communicates with them. The deal would enable MedSec to profit off of a drop in St. Jude's stock.
The event has raised new questions about what this means not just for vulnerability disclosure, but for the future of IoT security.
Was It Necessary?
In a Bloomberg interview Aug. 25, MedSec CEO Justine Bone said: "...given St. Jude Medical's track history of brushing these security issues to one side and basically making no changes whatsoever to their technology -- despite having researchers call their attention to issues in the past, despite the DHS investigation, despite FDA requirements that cybersecurity be prioritized -- nothing has changed in the St. Jude Medical technology suite. So we did not feel confident that the most effective way forward was to approach St. Jude Medical."
Bone did not respond to a request for comment on this story.
The pacemaker vulnerabilities first exposed by the late Barnaby Jack in 2012 were known to impact multiple pacemaker vendors, but the full details about those vulnerabilities and affected makes/models were never revealed, because of Jack's untimely death days before he was due to present his research at Black Hat in 2013.
There are no CVE numbers listed vulnerabilities in St. Jude Medical devices or systems. Documented US Food and Drug Administration (FDA) warning letters to St. Jude Medical do not include any references to cybersecurity. An FDA representative confirmed to Dark Reading, "To date, the FDA has not issued any warning letters or safety communications related to cybersecurity concerns specific to St. Jude Medical devices."
St. Jude Medical also has a vulnerability disclosure program active on its website; several other medical device manufacturess have these programs now. The FDA, in cooperation with the Department of Homeland Security's (DHS) ICS-CERT, are the official handlers of cybersecurity matters related to medical devices, and have published guidance on cooperative vulnerability disclosure.
A MedSec/Muddy Waters representative says they sent the FDA a report about the St. Jude vulnerabilities and estimated that it was e-mailed the day before the public report was released. The FDA told Dark Reading that they received the report the same morning the public report was released, and that it was identical to the public report.
Therefore, if St. Jude is to improve their security, they must do it without the direct help of MedSec: MedSec researchers are the only ones known to have full details about the vulnerabilities. Others, however, are looking.
The FDA and the DHS are currently doing an official investigation. University of Michigan professor and director of the Archimedes Center for Medical Device Security Kevin Fu said this week, “We’re not saying the report is false. ... We’re saying it’s inconclusive because the evidence does not support their conclusions. We were able to generate the reported conditions without there being a security issue.”
Used [email protected] monitoring devices for sale on eBay have been selling quickly on eBay.
Despite the progress made in medical device cybersecurity, some researchers say moves like MedSec's are still necessary.
"From my experience, responsible disclosure does not always work," says IOActive security researcher Cesar Cerrudo, known for his work on satellites and other IoT devices. Cerrudo says, in fact, that responsible disclosure works less than half the time.
Was it ethical?
There are two key questions here. Are there threats or costs to the patients that MedSec did not adequately consider? And is it ethically questionably for a security company to profit off a company's poor cybersecurity without helping them fix it?
As for financial costs, according to Healthcare Bluebook, a "fair price" for an insured patient in the United States to pay out-of-pocket to have a pacemaker inserted is $25,924; to have an ICD inserted is $64,278. That "fair price" generally falls within the 30th to 55th percentile of what patients actually pay. So, depending upon insurance, region, and choice of hospital to have the procedure done, many patients pay more than that. If an implanted device is recalled, some insurance companies are now coercing device manufacturers to give partial credits back to patients.
Marie Moe is both a pacemaker cybersecurity researcher and a pacemaker patient who says she is hacking her own heart. She told Dark Reading in a statement, "As a patient I am angry, because the researchers did not seem to act in the interest of patient safety with their choice of disclosure strategy. They used fear mongering as a tactic to maximise their monetary profit. The lack of empathy is striking."
Moe polled other patients when speaking at a conference earlier this week. They were more "curious" than any other emotion when they heard the MedSec news, but none thought that MedSec's actions were ethical. Moe also polled her Twitter followers, whose responses were mixed; however the majority still felt it was unethical:
How do you feel about the ethical aspect of #MedSec short-selling stocks based on their research findings?— Marie Moe (@MarieGMoe) August 28, 2016
Josh Corman, director of the Atlantic Council's Cyber Statecraft Initiative, founding member of I Am The Cavalry, and member of the US Department of Health and Human Service's Health Care Industry Cybersecurity Task Force, points to one of I Am The Cavalry's positions on disclosure: "Those concerned with public safety and human life should take sufficient care to avoid inadvertently putting them at risk."
However, Cerrudo argues this: "I don't know why people get so mad because the didn't release the details." He points out that MedSec is getting criticized both for releasing too many details and not enough; and also that there is, as Bone said, no immediate threat to patients.
As for turning a profit, Cerrudo says, "Any company can do what they want with their research." He does point out, however, that IOActive would not follow MedSec's lead.
What's the lasting impact on IoT and medical device cybersecurity?
"This will make it harder," says Corman. He points to progress that has been made, like the vulnerability disclosure guidance, and the fact that a medical device was actually recalled because of a cybersecurity concern. Device manufacturers, government agencies, and cybersecurity researchers working together have made progress, but adversarial actions like MedSec's action against St. Jude will work against it.
"If you hurt relationships," he says, "you're going to continue to have unsafe medical devices."
"As a researcher I am worried about how this behaviour may make things worse for other researchers that do want to follow a coordinated disclosure process," says Moe. "The betrayal of trust can make it more difficult for us to succeed with a more cooperative and less noisy approach."
Cerrudo, though, says, depending upon how this case shakes out, it could have a positive effect. If St. Jude doesn't recover, other companies may see MedSec's action as a red flag and decide "'We need to be careful, because someone could affect our stock price.'"
Will other companies follow suit?
Cerrudo says that while IOActive won't follow this model, others might, depending upon how successful it is for MedSec.
Just how much MedSec will earn or has earned is a big question mark. It all depends on the short sell Muddy Waters made. They bet x amount of money that St. Jude stock would drop y points by z date and agree to give MedSec x percent of the winnings. How much does that up to? The details of the short-sell and the agreement were not publicly disclosed and a Muddy Waters/MedSec representative did not share anymore.
It remains unclear whether a company could earn anywhere near the amount of money fetched in some of the priciest bug bounties without necessarily having to find and prove they found something as elusive as a remote code execution bug in iOS. If so, that could have an enormous impact on the zero-day market that has been elusive.