Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Big Short: Security Flaws Fuel Bet Against St. Jude (securityledger.com)

Posted by BeauHD on from the hacking-fears dept.

chicksdaddy writes: "Call it The Big Short -- or maybe just the medical device industry's 'Shot Heard Round The World': a report from Muddy Waters Research recommends that its readers bet against (or 'short') St. Jude Medical after learning of serious security vulnerabilities in a range of the company's implantable cardiac devices," The Security Ledger reports. "The Muddy Waters report on St. Jude's set off a steep sell off in St. Jude Medical's stock, which finished the day down 5%, helping to push down medical stocks overall. The report cites the 'strong possibility that close to half of STJ's revenue is about to disappear for approximately two years' as a result of 'product safety' issues stemming from remotely exploitable vulnerabilities in STJ's pacemakers, implantable cardioverter defibrillator (ICD), and cardiac resynchronization therapy (CRT) devices. The vulnerabilities are linked to St. Jude's Merlin at home remote patient management platform, said Muddy Waters. The firm cited research by MedSec Holdings Ltd., a cybersecurity research firm that identified the vulnerabilities in St. Jude's ecosystem. Muddy Waters said that the affected products should be recalled until the vulnerabilities are fixed. In an e-mail statement to Security Ledger, St. Jude's Chief Technology Officer, Phil Ebeling, called the allegations 'absolutely untrue.' 'There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin at home and on all our devices,' Ebeling said."

More controversial: MedSec CEO Justine Bone acknowledged in an interview with Bloomberg that her company did not first reach out to St. Jude to provide them with information on the security holes before working with Muddy Waters. Information security experts who have worked with the medical device industry to improve security expressed confusion and dismay. "If safety was the goal then I think (MedSec's) execution was poor," said Joshua Corman of The Atlantic Institute and I Am The Cavalry. "And if profit was the goal it may come at the cost of safety. It seems like a high stakes game that people may live to regret."

81 comments

  1. 5%? by 110010001000 · · Score: 4, Insightful

    Lots of stocks go down 5% in one day, especially medical stocks. Hardly steep.

    1. Re:5%? by Anonymous Coward · · Score: 0

      I think the implication is that today's drop was only the start, and it will get much worse for them as people realize the implications of this. I think it's not a bad bet, whether it's legit or not, Wall Street has a way of overreacting to news, positive or negative.

    2. Re:5%? by Dorianny · · Score: 3, Insightful

      A voluntary or a FDA ordered full recall one are unlikely or you would have seen the stock price come crashing down and trading halted . Device security is just not taken seriously in the industry. Practically the only invulnerable devices are the ones with network-stack implementations so broken as to render networking functions pretty usless. The Industry benefits from there not being any cases of harm to patients. Few people outside of research would target medical devices given the risk of causing physical harm to innocent people. Of course this could change in an instant were someone to off their rich-uncle for the inheritance by hacking into his pacemaker. The scandal would cause a tsunami that would come crashing down on the Biotech industry

    3. Re:5%? by HiThere · · Score: 1

      How would you prove it? Would it require assistance from the company to show that that was what happened?

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    4. Re:5%? by whoever57 · · Score: 5, Insightful

      Lots of stocks go down 5% in one day, especially medical stocks. Hardly steep.

      Yes, it's a shame it didn't go down more. Until lack of security affects the bottom line, companies won't make secure devices.

      --
      The real "Libtards" are the Libertarians!
    5. Re:5%? by Dorianny · · Score: 1

      How would you prove it? Would it require assistance from the company to show that that was what happened?

      If the Coroner found the device not functioning during the autopsy and implicate it as the cause of death he could rule the death suspicious (if he were smart) and start the boll rolling for the device to end up at FBI crimes lab directly. Otherwise he would (hopefully) file a report with the FDA or the Manufacturer (which is required to report it to the FDA). Eventually a FDA inspector would get around to reading the report and hopefully be alarmed enough to ask the company to check on the cause of the malfunction. If the company experts found the device is functioning properly and it simply had been turned off somehow or that device's firmware checksum doesn't match the deployed image, the Case would be reopened and the device would end up at FBI labs. It is unlikely that the Company experts would lie to the FDA, for one they would have to explain to them what went wrong which means making up some other defect on the device and second they would be committing multiple felonies and infractions. PS: This scenario assumes a not very sophisticated hacker (which would still be quite capable of penetrating the pathetic security on most medical devices). Someone dedicated to the craft would probably write a in-runtime-memory only exploit that after the deed would restore the device to proper function and wipe itself off without leaving any traces

    6. Re:5%? by Dorianny · · Score: 1

      Lots of stocks go down 5% in one day, especially medical stocks. Hardly steep.

      Yes, it's a shame it didn't go down more. Until lack of security affects the bottom line, companies won't make secure devices.

      Stock prices don't affect the bottom line (other than on a IPO of course) however a bunch of pissed off investors looking at their portfolio charts shooting straight-down would likely demand the heads of the CEO and the CTO. If the Board of Trustees doesn't deliver you might see a direct share-holder vote being called. That's when you would see some real change in the Industry. Nothing greases the wheels quite like the blood of executives

    7. Re:5%? by AmiMoJo · · Score: 1

      How would a recall work exactly? Presumably they can't just upload a firmware upgrade wirelessly, as aside from anything if the process failed or even took a few seconds to restart the patient would be in serious trouble. So it would have to be surgery, I guess.

      This sort of thing is only going to get more common as we start putting more stuff inside our bodies. A year or two back it was found that a major manufacturer of breast implants was using sub-standard silicone and that the risk of leakage was high, so they all needed to be replaced. Of course the company declared bankruptcy and everyone who had them was left to either sue the surgeon or try to get a free fix through [national] insurance. And yes, some were cosmetic boob jobs, but many were cancer survivors.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:5%? by Anonymous Coward · · Score: 0

      It affects the bottom line of shareholders and the CEO's (who is usually paid at least partly in shares) personal finances.

    9. Re:5%? by gtall · · Score: 1

      Some med devices have OTA updates of their firmware. Companies see it as a much less obtrusive way of updating than tearing it out and replacing it.

    10. Re:5%? by AmiMoJo · · Score: 1

      Interesting. When you say OTA, I presume you mean through the skin from a transceiver placed on the body, rather than from any significant distance or over a network, right?

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    11. Re:5%? by GrumpySteen · · Score: 1

      Their stock went up by more than 20% on April 29th, too, when they announced that they were being bought by Abbott Labs.

      After speculation causes a jump like that, prices always tend to drop back off as reality sets in and the late-comers to the party have realized that the stock isn't going up any more and they're ready to sell quickly in order to cut their losses at the slightest hint that the price may go down further.

    12. Re:5%? by jbmartin6 · · Score: 2

      In other words, they would argue they don't need to take security seriously because there isn't a serious threat. The rich uncle is a good example of a somewhat realistic situation, but I don't agree that it would set off any flood of concern. Probably very few would care, except maybe the uncle's other relatives. But settling that lawsuit later is a lot cheaper than implementing a lot of security now. Remember, there are lots of ways to kill someone with few or no traces, as long as there is no other evidence. In the uncle's case, the murderous heir would be the prime suspect if there were any whiff of foul play and would leave other evidence like browser search history. Not that the crime couldn't happen, it would just be pretty rare. Is that enough to change the economic calculus for the medical device company?

      Or look at it this way. If the murder is undetected, the device company isn't in trouble and has no reason to add security. If the murder is detected, the criminal is convicted and others are deterred from using the same methods. The crime gets added to the list of all the other solved murders which used candlesticks in the library and such. Either way, the medical device company has no motivation to change anything.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    13. Re:5%? by whoever57 · · Score: 1

      Stock prices don't affect the bottom line (other than on a IPO of course)

      Please, don't do any investments in stocks: you clearly don't understand this well enough.

      The question you have to ask is: why did the stock price go down? The answer to which is that investors in the stock market expect that future profits (the bottom line) will be lower. In other words, no, stock prices don't affect the bottom line (but see note), instead, the expected future of the bottom line affects the stock price.

      Note: a high stock price can improve a company's ability to raise capital for investment, so in this way a high stock price can affect the bottom line.

      --
      The real "Libtards" are the Libertarians!
    14. Re: 5%? by Anonymous Coward · · Score: 0

      Or you could buy put options to short the stock and then drive to another city, kill everyone in range for a couple hours and drive home undetected.

      It doesn't need to be your grandpa to get rich.

    15. Re:5%? by Dorianny · · Score: 1

      Stock prices don't affect the bottom line (other than on a IPO of course)

      Please, don't do any investments in stocks: you clearly don't understand this well enough.

      The question you have to ask is: why did the stock price go down? The answer to which is that investors in the stock market expect that future profits (the bottom line) will be lower. In other words, no, stock prices don't affect the bottom line (but see note), instead, the expected future of the bottom line affects the stock price.

      Pray do tell how Investors "expecting" lower earnings actually affect earnings.

      Note: a high stock price can improve a company's ability to raise capital for investment, so in this way a high stock price can affect the bottom line.

      Agreed that in the an embattled company would have more difficulties (at least have to pay higher rates) getting loans or selling bonds. However this is a function of the Company facing uncertainties about its future rather the "stock price" per se. A private company in a similar situation would face the same difficulties raising captial

    16. Re:5%? by HiThere · · Score: 1

      Autopsies are rare unless there is already strong suspicion of a crime, and most coroners aren't competent to diagnose the workings of a pace maker or defibrillator. Additionally, if the defibrillator kept trying to restart the heart until it's battery died, it would fail to respond without replacing the battery. Not a minor endeavor.

      People who are competent to diagnose defibrillators are rare, especially if they are expected to work on devices made by an arbitrary manufacturer rather than just a couple of them. People who can repair them (more than just changing the battery...itself no minor operation) usually work for the company that made them.

      So unless there is already a presumption of murder I don't think this would be likely to be detected.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    17. Re:5%? by mlw4428 · · Score: 1

      They never will. Companies will forever operate under the auspices of "good enough to have insurance cover it". Class actions need to quit settling for amounts that are equal to 1% of 1% of a company's bottom line. Go for the throat and demand 100% of a company's gross revenues for 10 years and then haul that case to court. Work to have their business licenses yanked and start piercing the corporate veil. Remind people that, as a company, you have a duty to your customers and not just your shareholders - or you run the risk of having the proverbial boot snap your company's neck.

    18. Re:5%? by slashdotwannabe · · Score: 1

      If the battery died then that would be a very strong indication of some problem. Probably they would suspect a defect in the manufacturing, but that would start the closer look that might just uncover foul play. Or not. If their logging/forensics is as bad as their security...

      --
      This comment is my opinion and does not represent an official position of Donald Trump or others I do not work for
  2. Saint Jude, don't let me down! by Anonymous Coward · · Score: 2, Funny

    take a sad song
    and make it better
    but remember
    to let it into your heart
    so the hackers
    can kill you!!

    1. Re:Saint Jude, don't let me down! by jfdavis668 · · Score: 1, Offtopic

      Another song by Muddy Waters research.

    2. Re:Saint Jude, don't let me down! by Pseudonym · · Score: 1

      You can't lose what you ain't never had.

      --
      sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
  3. What? by Anonymous Coward · · Score: 2, Insightful

    Reading that made my head hurt.

    1. Re:What? by Pseudonym · · Score: 1

      News for People Richer than You: Stuff that Barely Matters

      --
      sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
    2. Re:What? by Archfeld · · Score: 1

      Unless you happen to have or have a family member that has one of the devices in question.

      --
      errr....umm...*whooosh* *whoosh* Is this thing on ?
    3. Re:What? by Pseudonym · · Score: 1

      In that case, what some analyst thinks of the share price (however data-driven it may be) is the least of your worries.

      --
      sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
    4. Re: What? by Anonymous Coward · · Score: 0

      No it is your biggest worry. The fact that you don't understand how the system works and ignore it doesn't mean that it's not your biggest issue.

    5. Re: What? by Anonymous Coward · · Score: 0

      Yeah, if you think it's bad now, just wait until the company goes bankrupt and lays off all the programmers that might know how to fix it.

  4. short Abbott by turkeydance · · Score: 1

    Abbott to Acquire St Jude Medical http://media.sjm.com/newsroom/...

  5. Sketchy by Anonymous Coward · · Score: 1

    'strong possibility that close to half of STJ's revenue is about to disappear for approximately two years' as a result of 'product safety' issues

    How is this not some kind of insider trading and/or pump and dump scheme? Only company principals would have access to this type of info and it's not legal to divulge such prior to public filings... SEC should look very closely at who has established short positions in this security.

    1. Re:Sketchy by lgw · · Score: 3, Informative

      How is this not some kind of insider trading and/or pump and dump scheme? Only company principals would have access to this type of info and it's not legal to divulge such prior to public filings... SEC should look very closely at who has established short positions in this security.

      As long as it's an independent researcher, it's fine. No reason you need to be an insider to spot security flaws. That's how the stock market works: you have all the companies engaged in just-borderline-legal puffery, exaggeration, and hockey sticks, and you have the short-side researchers trying to spot the biggest liars. It works well overall because the analysis becomes public quickly enough, giving ordinary investors a chance to learn both sides of the story.

      Not so much from a white-hat security perspective, of course. But as long as they aren't working for the company, nor of course out there exploiting the flaws to kill people, they're OK. It's not insider trading if you're an outsider.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    2. Re:Sketchy by theskipper · · Score: 3, Informative

      That's true and most likely what Muddy Waters did. Further, biotech traders especially are notorious for watching option flow because blowups are more common than positive outcome trials. And leaks are almost expected these days no matter how the trades are structured to hide inside info.

      But in this particular case it's almost definitely what you described, basically front-running their research just like Citron, Streetsweeper and others do. As a matter of fact, here's a screen shot showing a decent size put position being put on $STJ a few days ago (probably not just Muddy Waters but other cohorts too): https://twitter.com/WallStJesu...

      It's actually one of the few ways the little guy can bank based on "inside info" just by keeping an eye out for activity like this. I personally follow about 5 users who exclusively tweet blocks and unusual option activity, it pays off about 60% of the time (not just puts, calls too). Some opening positions really are most definitely based on the illegal-type inside info, the rest are front-running research like described above.

    3. Re:Sketchy by ShanghaiBill · · Score: 2

      How is this not some kind of insider trading

      Because none of the information is from inside. There is no law against doing your own research and publicising the result.

      and/or pump and dump scheme?

      The is the exact opposite of a "pump and dump". Muddy Waters is shorting the stock and then pushing the price down by PUBLISHING THE TRUTH. If it turns out the information was knowingly false, or published with reckless disregard for the truth, then they could be in big trouble. But that is unlikely because Muddy Waters and a long track record of being right on these things.

      Only company principals would have access to this type of info and it's not legal to divulge such prior to public filings.

      Absolute nonsense. RTFA. The company did NOT have access to this information. It came from independent research.

    4. Re:Sketchy by Anonymous Coward · · Score: 0

      Holes in remote software: Very plausible. And very fixable.
      Now if they found a protocol bug and used that to publish some keys buried in the firmware a la Jeep -Ehh eh oh, firmware patch would be expensive.

      Forget layer software - Do they have 'Plan B' sitting on a shelf ready to go? Yes? else punish those who 'stop' when 'done'.
      Agile and LEAN to blame for share price?

    5. Re:Sketchy by jcampb12 · · Score: 1

      Can you share those twitter users you follow? That seems like an interesting data point.

    6. Re:Sketchy by theskipper · · Score: 1

      Options/Blocks: @BlockTradeAlert, @WallStJesus, @CashRocket, @OpenOutcrier, @SpeedyCalls
      T/A: @WrigleyTom, @OptionsHawk for example
      Some pro biotech/pharma guys who actually know what they're talking about: @DewDiligence, @Ogut_Ozgur, @Biomaven, @BioDueDiligence, @DavidBautz, @zbiotech, @AF_biotech/@CNS_Investing. Too many to list, check the overlap of who they follow for more.

      HTH.

    7. Re:Sketchy by princealvin · · Score: 1

      any chance you'd PM me the twitter names of the 5 "users" you follow? If so, thanks...

    8. Re:Sketchy by theskipper · · Score: 1

      Someone else had asked the other day too, see here: https://science.slashdot.org/c...

  6. THIS IS GREAT! Exactly what we need to do! by Anonymous Coward · · Score: 1

    The market doesn't respond to ANYTHING other than profit or loss. This is EXACTLY what need be done to combat security-agnostic vendors of technology.

    If this starts a trend it will become a foolish business decision to willfully ignore vulnerabilities, and RIGHTLY FUCKING SO.

  7. Not related to the hospital by Anonymous Coward · · Score: 2, Informative

    For those who are confused (as I initially was), this is talking about St. Jude Medical, which is in no way, shape or form associated with St. Jude Children's Research Hospital (it's not even a spin off company).

  8. Insightful, +1 by PopeRatzo · · Score: 2

    Reading that made my head hurt.

    Really. The financial press makes the tech press look like Joseph fucking Pulitzer.

    --
    You are welcome on my lawn.
  9. MedSec did a good thing. by Anonymous Coward · · Score: 0

    The behaviour and attention to detail of companies that develop ICT enabled clinical devices borders on negligent. Coupled with the highly disincentive nature of the legal system, and the fact that in many cases the failure of such devices can kill patients the entire Industry needs a swift kick in the butt to get them to pay attention.

    Their actions might cause some people with an interest in St Jude to cry tears of blood, but the wider communities interests need to be taken into consideration. If Health Industry CEO's realise their lack of attention to such issues can kill stock prices and put their bonuses at risk they might look more closely at the quality of their systems.

  10. We're all giant security flaws from birth by JoeMerchant · · Score: 2, Interesting

    You're born: without constant care you will die, you have to be provided with food, shelter and all manner of special care - your head flops around if you aren't held properly.

    When we're more mature, we're still not bullet proof, knife proof, or able to withstand a sudden stop in the vehicles we travel in, there's a long list of chemical poisons that can kill, fast or slow, many undetectable - sudden death is a possibility during virtually every hour of every day. All it takes is a bad actor to point a gun, or crossbow, or speeding car in our direction and BOOM, we're dead, or worse, in an instant.

    We sleep in houses with glass windows, we congregate in large public gatherings, we invite mass murder and mayhem all the time. A single bad actor can kill hundreds with no special resources or skills.

    So, what's so scary about a pacemaker that can "be hacked" by someone with enough time and determination? Is it that they might get away with it untraceably? Hardly likely. With all the time and effort that would go into this sort of hack, you could literally commit "the perfect murder" a dozen different ways - many of them less likely to lead back to the perpetrator. If people start dying of hacked pacemakers, the FBI will start by looking at ex-employees of the company, related companies, and "white hat" outfits like in the article. It's a relatively small group, compared to people who might have access to sodium cyanide, or a handgun and a car.

    Having said all that, it is past time for medical device companies to start at least "closing the window" on nefarious hackability of their devices, which is why the FDA released cybersecurity guidance a couple of years back.

    1. Re:We're all giant security flaws from birth by dwywit · · Score: 1

      Same applies to much of IT - without electricity(food), it stops, without cooling(special care), it slows or stops, without careful nurturing in a special environment (alpha testing in a closed system), it won't mature (grow).

      And yet, short of death or severe damage to certain parts, we're self-healing without completely halting basic operations - you can break an arm and still walk, and we have redundancy - you can lose a kidney and still pee, you can lose an eye and still see.

      It's scary because it's our *lives* that are under threat, not our access to facebook.

      "Your computer crashed? Reboot it. If it keeps happening, call a specialist or replace it."

      "Your pacemaker crashed? You're dead."

      Also, terrorists. What's to stop IS from doing it once or twice (or as many times as they can), killing someone by faulting their pacemaker, and claiming publicly "We killed him!"

      We shouldn't underestimate the public panic that could cause. Look at what's happened to many of your "freedoms" since 9/11.

      --
      They sentenced me to twenty years of boredom
    2. Re:We're all giant security flaws from birth by AmiMoJo · · Score: 1

      It depends what type of hack is possible. If some script kiddy in Bulgaria can accidentally send an "off" command to every pacemaker made by these guys, then it's pretty severe. I doubt that is possible though, they can't contain modems or wifi because the battery has to last a decade or more.

      My understanding is that it's just that RF comms at a range of a few centimetres (like a contactless payment card) are not authenticated. So someone could switch the thing off at very close range, maybe further away with a big antenna, maybe not.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:We're all giant security flaws from birth by JoeMerchant · · Score: 2

      The "programmer wands" in old-school pacemakers only work up to about 6" away... they're special antennas, though you might be able to get some anti-theft door systems to operate the devices - but that would be a truly traceable hack.

      Newer systems are getting "more connected" with in-body networking to other devices and slightly longer range RF, but none of them are "constant contact" with the cloud, and the systems I'm aware of do not have any "kill the patient at midnight on December 23rd" program capabilities... if you're going to switch it off, it's going to happen more or less immediately after the communication event.

    4. Re:We're all giant security flaws from birth by PeeAitchPee · · Score: 1

      My Dad has a STJ pacemaker with the Merlin at home communication device in question. Merlin is a monitoring device that the implantee sets up next to their bed, and it wirelessly monitors the pacemaker while they sleep. In case of a cardiac event, it notifies the central monitoring facilities and also send info about the status of the patient's heart and pacemaker (kind of like a burglar alarm system). It is a real game-changer and has saved many peoples' lives. Merlin operates over old-school POTS (not WiFi or even Ethernet) which these days is likely a bit more secure than going over the Internet anyway. I don't know enough about the attack vector but it sounds like the Merlin station wasn't suitably hardened, which is incredibly common in so many of these first gen in-house technologies. I doubt a hacker could remotely turn off a pacemaker, and that likely wouldn't kill my Dad anyway, but obviously this issue needs to be fixed (and it will).

      Having said that -- hackers gonna hack, and I get it. However, it should be illegal to have knowledge of this type of vulnerability with a medical device and to choose not to report it so you and your pathological buddies can short stocks. I can't think of much that's more greedy and immoral than that. This isn't some server to be taken over -- you're potentially messing with real peoples' health so you can make a quick buck. There is no place in any civilized society on earth for those types of inhuman pieces of shit.

    5. Re:We're all giant security flaws from birth by JoeMerchant · · Score: 1

      When I read "it should be illegal to have knowledge" I hit a full stop, right there... however, using knowledge for "insider trading" is a special case, and I could see this being worse than simple company insiders profiting (as they do all the time, skirting the edges of the regulation - and frequently stepping over because they know enforcement is lax.)

      Ultra-libertarians might argue that the profit is reward for ultimately exposing life threatening vulnerabilities, ultra-libertarians are also mostly psychopaths - professedly unable to grasp that pure freedom for all results in single actors taking gross advantage of, and doing harm to large numbers of people who happen to be at a disadvantaged position - resulting in a net-negative situation that benefits a very small percentage of people.

    6. Re:We're all giant security flaws from birth by PeeAitchPee · · Score: 1

      I'm generally small-L, practical libertarian (not one of the psycho variety you describe above) who supports the free market and civil liberties, but I'll absolutely stand by my original statement: if you have knowledge of a serious exploit in a critical medical device like a pacemaker or artificial heart, and you choose NOT to report that information so you can instead profit from it, you should go to jail, and for a long time. Most sane, mainstream libertarian-leaning folks acknowledge that some amount of regulation is necessary for the common good. The ultra libertarians need to grow up a little and stop looking the other way when someone does something as completely immoral as this.

    7. Re:We're all giant security flaws from birth by AmiMoJo · · Score: 1

      Thanks, interesting stuff.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:We're all giant security flaws from birth by phorm · · Score: 1

      "what's so scary about a pacemaker that can "be hacked" by someone with enough time and determination"

      Well, part of it would be detection, and - depending on the hack - range. If, for example, a malicious actor could write a virus that causes all infected mobile phones to take down pacemakers in the area... that would be bad shit. Given the number of insecure IoT devices out there, it need not be a phone, but one of thousands or millions of little devices which could be converted to nefarious means.

    9. Re:We're all giant security flaws from birth by Anonymous Coward · · Score: 0

      Its amazing -- and slightly retarded -- that you think that someone who discovers something is then somehow obliged to behave in someone else's best interests.

      Someone who discovers a security flaw in a device like this is in NO way obliged to look out for anyone's interests aside from their own. The idea that you saddle them with some burden that they never agreed to is ludicrous.
      The obligation is between the device designer/producer and the purchaser, and has nothing to do with disinterested third parties.

      I suppose you're the type that feels that if you discover someone is cheating on their spouse, you're obliged to tell the cheated-upon party? Or if you hear your neighbor is cheating on their taxes, you should report them or go to jail?

    10. Re:We're all giant security flaws from birth by JoeMerchant · · Score: 1

      Shortly after posting this, someone informed me of a "nightly contact with the cloud" system that has been out there for a while (uses POTS, so that puts some kind of date range on it). So, if you don't trust the cloud contact, then a whole lot of pacemakers might get shut off at once that way. Not everybody who loses their pacemaker functionality has serious trouble, or any kind of trouble right away, but some will...

    11. Re:We're all giant security flaws from birth by JoeMerchant · · Score: 1

      Pacemakers are getting more connectivity options all the time, but I don't think anyone has gone so trendy as to give one bluetooth, yet. (There are some fundamental problems transmitting 2.4GHz from inside living tissue...)

  11. Re:Little Pharma by Anonymous Coward · · Score: 0

    Who doesn't?

  12. Sensationalists! by no-body · · Score: 1

    There: "MedSec CEO Justine Bone acknowledged in an interview with Bloomberg that her company did not first reach out to St. Jude to provide them with information on the security holes"

    nuff said....

    Maybe even investors listening to grapevine going short before the hubbub trying to make a buck.

    1. Re: Sensationalists! by Anonymous Coward · · Score: 0

      The FTC is going to be very interested in the people who made money off of this.

    2. Re: Sensationalists! by Anonymous Coward · · Score: 1

      As other people have noted, trading laws don't work that way. As long as YOU don't work for company X, you have every right to research company X and their products, look for flaws, and short the stock if you find something severe. You can even tell the whole world (truthfully) about the flaw after you shorted the stock. No laws broken. Because you are not an insider.

  13. Security Gnomes business plan by Michael+Woodhams · · Score: 1

    (1) Investigate safety critical devices for security flaws until you find one
    (2) Short sell the manufacturer of the flawed device
    (3) ???
    (4) Profit!

    While I don't see anything illegal here, I'd want the advice of a good lawyer before putting it into practice.

    --
    Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
  14. Re:Little Pharma by Anonymous Coward · · Score: 1

    Statistically speaking, about half the world's population.

  15. Re:So, it's about profit? – Oh nooo! by Anonymous Coward · · Score: 0

    You can define capitalism as the investment of money (capital) in the production of goods or services with the objective of obtaining more money (profit).

    This is fundamental to the workings of any society. You can't escape it. Even if you don't use something that looks like money or a corporation, it's fundamental to human nature--even the most primitive tribesman invests his capital with the objective of obtaining some return. It might be an investment of time rather than money, and the return might be status or a mate rather than more money; but the principle is the same.

    Those who seek to abolish capitalism ignore this fundamental truth not only to their own peril, but the peril of the society in which they attempt to abolish said system.

    The proper way to address the injustices is by going after the *greed*, not the capitalism. That which is criminal is criminal, regardless of motive. The radical leftists also invests after a fashion--in the activities of revolution, with the objective of obtaining his envisioned paradise. The nature of investment and return is so ingrained in the human psyche--the communist is just a capitalist of a different sort; but he fails to understand that.

    Those who fail to understand capitalism are doomed to reinvent it poorly.

  16. Live? by Mikkeles · · Score: 1

    ".... It seems like a high stakes game that people may live to regret."

    More like '... die to regret.'

    --
    Great minds think alike; fools seldom differ.
  17. This is what the NSA and FBI *should* work on by PeeAitchPee · · Score: 1

    Instead of wasting time and money doing dragnet email and phone surveillance and conducting bullshit entrapment stings to create fake "terrorists," the TLAs should absolutely exterminate these kinds of human garbage. Seriously, they need to identify and prosecute these fucks with the most extreme prejudice possible. Human greed has no boundaries.

  18. I thought St. Jude was nonprofit??? by Anonymous Coward · · Score: 0

    Wait a minute here, I thought St. Jude was nonprofit??? Are you really telling me it is a for-profit, publicly traded corporation??!?!

    I can't believe I have been giving them money all of these years.

    1. Re:I thought St. Jude was nonprofit??? by Attila+Dimedici · · Score: 1

      Different organizations. St Jude Children's Research Hospital is a non-profit (and a very good one from everything I have heard).

      The article is about St Jude Medical, a completely unrelated organization.

      --
      The truth is that all men having power ought to be mistrusted. James Madison
  19. God Damn You! by Anonymous Coward · · Score: 0

    How dare you marginalize the writers sensationalism like that! They've got to eat. They might have a family, or gay partner, or a cat to feed and clothe and you just dismiss their work with a casual remark like that?

    You are literally the worst thing about society today. What is wrong with you? Don't you have any feelings at all? Are you old or something?

  20. Stock manipulation by Anonymous Coward · · Score: 0

    is illegal. Or it used to be.

  21. Yet another massive government failure. by Anonymous Coward · · Score: 0

    Where is Obama here? Why isn't he dealing with this instead of stumping for crooked hillary? Here we have yet another case of government incompetence and irresponsibility and no one is calling out the real criminals. Shameful.

  22. I have an ICD from a different company by Blinkin1200 · · Score: 1

    I have an ICD from a different company and I can communicate with it up to about 10 meters (not wifi). I'm hoping to improve my antenna design to increase the distance a bit.

    Secure? Nothing is really secure...

  23. Golden Opportunity to Establish Good Policy by sigmabody · · Score: 1

    This would be an excellent opportunity for the government to establish a policy to improve information security for vital systems (if the government were at all inclined to establish beneficial policy... but just go with it for the hypothetical).

    The FDA could offer an open, public bounty for any demonstrable vulnerability in any medical device, with a sufficiently motivational amount (say, 2x the going black market rate for desirable vulnerabilities in other areas). Then they could establish a policy of fines levied in a multiple of that amount (say, 5x) against any vendor producing or marketing a product which had the vulnerability. At current going rates, that would be maybe a $100k bounty, and a $500k fine per vulnerability. Totally legal (FDA has existing jurisdiction to do so), and a great policy.

    You'd see a sea change in the industry, as it would no longer be profitable to ignore info-sec entirely. Moreover, it would be a great precedent, monetarily scales up automatically, drives research which makes everyone safer, and it could be easily applied to other industries for the same goal and effect (eg: airlines, automobiles, smart grid, vital infrastructure, etc.).

    Man, things like this make me REALLY wish we had a government which wanted to do beneficial things for the people...

  24. IPV6 and IoT by Dareth · · Score: 1

    With IPV6 and IoT, every device can have its own IP address. You can keep even monitor your loved ones...

    ping grandpa .... No Response ... No Response ... No Response

    GRANDPA!!!!!

    --

    I only look human.
    My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
  25. Most missing the story by Anonymous Coward · · Score: 0

    There are two elements to this story; most commenting only picked up on one.

    1) St Jude's software on it's pacemakers allegedly are insecure and can be hacked.

    2) Note allegedly. The company reporting this lack of security followed a very poor operating model; they reported it to an investment advisory firm and not to St Jude. If MedSec, who claims to have discovered this, was interested in proper medical device security, then wouldn't they report it to St Jude? Instead they reported it to an investment advisory firm which then recommended shorting the stock, driving the price of St Jude down all amidst a take-over of St Jude by Abbott Labs at a premium to the original stock price. The fact that they reported it to a securities advisory firm suggests that something much fishier might be going on then poor device security.

    1. Re: Most missing the story by Anonymous Coward · · Score: 0

      you seriously think the makers of insecure stuff will pay a penny to unsolicited researchers ?

      managers and directors are greedy idiots who care about immediate profit and will not reward any good input with unplanned monetary gratification.

      it would destroy their nice excel plans of making a fat profit.

      one of my former co students works for a major medical electronics biz as a sw engineer.

      his attitude is WeDoNotGiveShit. at least until fda comes knocking.

      you know their brand. multi billion dollars a year revenue.

  26. Agreed by Archfeld · · Score: 1

    I agree but had the story not been published what do you think the chances they would have heard about the issue period ? I am certain the manufacturer would not have willingly acknowledged the possible issue without external pressure.

    --
    errr....umm...*whooosh* *whoosh* Is this thing on ?
    1. Re:Agreed by Pseudonym · · Score: 1

      I'm not disputing that it's a story. We've both been on Slashdot for a long time, and our memories are probably hazy, but nonetheless help me out. Has "some analyst bets against the share price" ever been the primary focus of the story here?

      One AC above noted that the real issue is that the maintainer of an implantable biomechanical device may go bust, stranding everyone who has one implanted and (as a general case) the huge risk inherent in the rise of the Internet of Safety-Critical Things. That is the news for nerds and the stuff that matters. That is not what the headline, the write-up, or most of the up-voted top-level comments are focussing on.

      --
      sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
  27. You are correct by Archfeld · · Score: 1

    To my knowledge you are correct. Stockholder and analyst views were never before an issue or the focus of tech stories. I think part of the change comes from the 'new' phenomenon of kickstarter/crowdsource financing which started fairly recently and part from the ridiculous way in which stocks now fluctuate based on some no-nothings comments to the media. I can see a future in which Bunsen Honeydews insights will affect the bottom line of venture capital/tech companies.

    --
    errr....umm...*whooosh* *whoosh* Is this thing on ?
  28. Medical devices/software permanently insecure by Anonymous Coward · · Score: 0

    Been working in medical device and medical software applications space for almost 20 years.
    ALL security of medical devices and applications is Extremely poor by the good vendors.
    Half of the vendors have security holes so bad you wonder how they managed to get past the startup phase.

    I have left a few companies when it was clear the only history they will have is some data breach that will put them out of business.
    I am about to leave my current employer for the same reason.

    The FDA and HiPPA-related security practices are not the problem.
    What you are regulated to do is not related to what you need to do to make something secure.

    Getting your device or application approved for medical use does not require demonstrating any type of security.
    For the FDA, you have to provide secure credentials to everything so they can 'try it out'. To get something certified by FDA you have to let them compromise your security.

    Its Nuckin' Futz and will never improve.

  29. As a Cisco Engineer. by Anonymous Coward · · Score: 0

    Who worked the production line. I am certain the claims are full of shit.