SoylentNews is people
SoylentNews
TechDirt reports:
A team of hackers working for cybersecurity startup MedSec found a bevy of flaws in medical devices sold by St. Jude Medical Inc, ranging from a lack of overall encryption to vulnerabilities letting unauthorized devices communicate with the company's pacemakers and defibrillators. And while we've talked about the threat of hackable pacemakers for more than a decade, hackers are increasingly worming their way into poorly secured radiology equipment, blood gas analyzers and other hospital and nursing home equipment to steal data for identity theft, giving the threat an added dimension.
[...] Historically, many hackers and security firms either contact companies to alert them to vulnerabilities, or try to sell the not-yet-public vulnerabilities to corporate espionage and security firms or government agencies, who then happily exploit any impacted, unpatched systems (in this case, with potentially fatal results). But MedSec did something notably different. It reached out to the Muddy Waters Capital LLC investment firm, suggesting a partnership to short sell St. Jude stock before reporting the vulnerabilities to the FDA. Under the deal, MedSec makes more money the further shares fall.
Updated: El Reg reports:
"We're not saying the [MedSec] report [on St Jude Medical's implanted pacemakers and defibrillators] is false. We're saying it's inconclusive because the evidence does not support their conclusions. We were able to generate the reported conditions without there being a security issue", said Kevin Fu, [University of Michigan] associate professor of computer science and engineering and director of the Archimedes Center for Medical Device Security.
[...] MedSec's report [...] reads:
In many cases, the Crash Attack made the Cardiac Device completely unresponsive to interrogations from Merlin@home devices and Merlin programmers. It was therefore impossible to tell whether, and how the Cardiac Devices, are functioning. MedSec strongly suspects they were in many cases "bricked"--i.e., made to be non-functional. It is likely physicians would explant a device that did not respond to the programmer.
In some cases, a Cardiac Device subjected to a Crash Attack was still able to communicate with the programmer, and the information displayed was alarming.
According to U-M's team, though, the implanted pacemaker or defibrillators can and will continue operating as normal even if readings to the monitoring station are disrupted.
In other words, there's no conclusive evidence that the pacemaker or defibrillator actually stopped working after the radio communications were jammed. It's more of an annoyance for whoever is using the monitoring terminal than a potentially lethal situation.
[...] In El Reg's view, if the communications are temporarily disrupted it's hard to see how this is a super serious issue. On the other hand, if the radio jamming stops all further communication from the implant to a monitoring terminal, that's going to potentially require surgery to fix, which is not optimal. However, bear in mind, there is no hard evidence that a device is "bricked"--merely MedSec's strong hunch that this has happened.
(Score: 0) by Anonymous Coward on Monday September 05 2016, @05:02PM
"Fortunately, the computer virus did no harm to our records. It was immediately devoured by the bugs in our programs."
(Score: 2) by davester666 on Monday September 05 2016, @06:01PM
Yeah, this is stupid.
Why would they not take one of these pacemakers/defibrillators that are not installed in a person, rig up a system to make the sensors of it to think it's in a person, jam it and then check to see if it still is functioning?
(Score: 1) by bro1 on Wednesday September 07 2016, @11:35AM
http://risky.biz/RB425 [risky.biz]
I would recommend to listen to this podcast where one of MedSec researchers is interviewed. I don't really think security holesin med devices are so harmless.
(Score: 3, Informative) by tisI on Monday September 05 2016, @05:19PM
I've had a St.Jude pacemaker/ICD in since July 2010. Still have 2 years life left on a 5 year battery. Very nice device. Good company.
This report is complete and total shit, and invented for financial scam purposes only .. by trolls.
I don't fear someone fucking with my device in any way. There is NO need for these scam cocksuckers to attack this company like this, just to manipulate the "market".
These pieces of shit (Muddy Waters Capital LLC and MedSec Ltd), are the real terrorists and are the ones we should be hunting down like dogs.
The only danger with any of these devices is if you place a powerful magnet on top of it, and as with any harddrive, you will scramble/erase data.
Communication with the device is done with St. Jude equipment. The average retard hacker on the street cannot just "hack" you.
So, by their scenario, if a Muddy Waters or MedSec henchman wants to come into my bedroom, stand next to my bed, and fuck with my Merlin device scanner, I will pull my .357 from my nightstand drawer and blow their heads off.
This is the extent of the danger, except for turning the light on and exposing the real lowlife parasites like Muddy Waters Capital LLC and MedSec Ltd.
"Suppose you were an idiot...and suppose you were a member of Congress...but I repeat myself."
(Score: 2) by frojack on Monday September 05 2016, @05:29PM
Don't hold back, tisl, tell us how you really feel.
The whole thing sounded like nonsense when I first read the the reports.
No, you are mistaken. I've always had this sig.
(Score: 1) by tisI on Monday September 05 2016, @06:40PM
Yes, nonsense & bullshit
The full propose of their intent though is not benign.
Their intent is malice and slander. Nothing else.
Worse, they are given credit for releasing a sensational discovery that is a complete lie. And profiting off of it.
If you had a shred of morality, you'd be offended too.
"Suppose you were an idiot...and suppose you were a member of Congress...but I repeat myself."
(Score: 2) by dyingtolive on Tuesday September 06 2016, @12:46AM
I don't have a strong opinion on the tech, but shorting the stock of the company you're about to trash is some high quality next level fuckstick behavior.
Here's hoping that karma sees someone gets their nuts put on a pike as a warning to others over this.
Don't blame me, I voted for moose wang!
(Score: 0) by Anonymous Coward on Tuesday September 06 2016, @01:07PM
yeah... how is this not insider trading?
(Score: 2, Informative) by Anonymous Coward on Monday September 05 2016, @05:37PM
The precursor story wasn't included and hasn't made the front page yet.
Security Startup MedSec Shorts St. Jude Medical Stock To Punish It For Flimsy Pacemaker Security [soylentnews.org]
-- OriginalOwner_ [soylentnews.org]
(Score: 2) by takyon on Monday September 05 2016, @08:06PM
Fixed up, will consider a top up in a couple of hours.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 3, Funny) by Snotnose on Tuesday September 06 2016, @02:45AM
> Um, looks like your heart rate has dropped to 0, shall I initiate a shock?
404, page not found
> Um, your heart rate looks pretty bad, wat du?
404, page not found
> I've looked it up, a 0 heart rate is Not A Good Thing(tm), I really need permission before I shock you with potentially life threatening electricity.
page not found.
I came. I saw. I forgot why I came.
(Score: 0) by Anonymous Coward on Thursday September 08 2016, @03:17AM
St Jude sues short-selling MedSec over pacemaker "hack" report [theregister.co.uk]
-- OriginalOwner_ [soylentnews.org]