After MedSec revealed remotely exploitable flaws in St. Jude pacemakers and defibrillators to financial research firm Muddy Waters, choosing to profit by how far St. Jude stock fell after the report (pdf) was made public instead of taking a “responsible disclosure” path, St. Jude struck back by basically calling Muddy Waters’ claims a bunch of lies.
MedSec claimed the St. Jude devices, which use no encryption or authentication in the wireless protocol, could be easily hacked, based on testing the hardware the firm purchased on eBay. The two most shocking claims involved remotely exploiting pacemaker functions and running the device’s battery down from 50 feet away.
Carson Block, the founder of Muddy Waters, told Bloomberg, “The nightmare scenario is somebody is able to launch a mass attack and cause these devices that are implanted to malfunction.” Block said St. Jude “should stop selling these devices until it has developed a new secure communication protocol.”
St. Jude, a “strong supporter of responsible disclosure,” issued a statement disputing the “false and misleading” report by Muddy Waters.
The report claimed that the battery could be depleted at a 50-foot range. This is not possible since once the device is implanted into a patient, wireless communication has an approximate 7-foot range. This brings into question the entire testing methodology that has been used as the basis for the Muddy Waters Capital and MedSec report.
In addition, in the described scenario it would require hundreds of hours of continuous and sustained “pings” within this distance. To put it plainly, a patient would need to remain immobile for days on end and the hacker would need to be within seven feet of the patient.
The functions of the life-saving devices are controlled by a Merlin@home unit. Muddy Waters’ Block said Merlin@home practically has no security, running outdated Linux, off-the-shelf chips and includes hard-coded credentials.
The alleged flaws, according to St. Jude, apply to older Merlin@home versions as the devices had “not been updated through the automated remote upgrade process.” Recall that MedSec had purchased the hardware via eBay.
As if addressing freaked out patients and doctors, St. Jude added, “Our system provides an automated remote upgrade process for all Merlin@home units that are in active use so that security enhancements are automatically deployed when they become available. Merlin@home units that are not in active use and connected to the internet will also be upgraded when they return to use if a new update is available.”
Lies and more lies
According to Errata Security’s Robert Graham, both Muddy Waters and St. Jude were being “highly dishonest.” He picked apart the reports by both companies before deciding the Muddy Waters document “is crap” and St. Jude’s response is “equally full of lies.”
Being a self-confessed “die-hard troll,” Graham chose to “vigorously defend the idea of shorting stock while dropping (a) 0day.”
Graham said MedSec did not drop a zero-day vulnerability; instead it dropped “claims” of a zero-day. As is often the case when researchers opt for public disclosure, instead of responsible disclosure, it is done so the vendor cannot sweep the bugs under a rug.
Graham pointed out:
If companies knew ethical researchers would never drop an 0day, then they'd never patch it. It's like the government's warrantless surveillance of American citizens: the courts won't let us challenge it, because we can't prove it exists, and we can't prove it exists, because the courts allow it to be kept secret, because revealing the surveillance would harm national intelligence. That harm may happen shouldn't stop the right thing from happening.
If exploited, neither of the two zero-days would result in the victim falling over dead immediately. “Both attacks require hours (if not days) in close proximity to the target,” Graham wrote. “If you can get into the local network (such as through phishing), you might be able to hack the Merlin@Home monitor, which is in close proximity to the target for hours every night.”
Muddy Waters thinks the security problems are severe enough that it'll destroy St. Jude's $2.5 billion pacemaker business. The argument is flimsy. St. Jude's retort is equally flimsy.
The FDA and Homeland Security are investigating the whole mess.