SoylentNews is people
SoylentNews
Submission Preview
Security Startup MedSec Shorts St. Jude Medical Stock To Punish It For Flimsy Pacemaker Security
from the well,-that's-a-novel-approach dept.
TechDirt reports [techdirt.com]
A team of hackers working for cybersecurity startup MedSec found a bevy of flaws in medical devices sold by St. Jude Medical Inc, ranging from a lack of overall encryption to vulnerabilities letting unauthorized devices communicate with the company's pacemakers and defibrillators. And while we've talked about the threat of hackable pacemakers [techdirt.com] for more than a decade, hackers are increasingly worming their way into poorly secured radiology equipment, blood gas analyzers and other hospital and nursing home equipment to steal data for identity theft, giving the threat an added dimension.
According to MedSec Chief Executive Officer [bloomberg.com] Justine Bone, St. Jude has a long history of implementing sub-standard security, and then doing little to nothing once these vulnerabilities are pointed out:
"As far as we can tell, St. Jude Medical has done absolutely nothing to even meet minimum cybersecurity standards, in comparison to the other manufacturers we looked at that have made efforts," Bone said. There are steps St. Jude can take relatively quickly to protect patients, including changing the programming of implanted pacemakers and defibrillators through a method that would involve a doctor's visit, she said.
[...]Historically, many hackers and security firms either contact companies to alert them to vulnerabilities, or try to sell the not-yet-public vulnerabilities to corporate espionage and security firms or government agencies, who then happily exploit any impacted, unpatched systems (in this case, with potentially fatal results). But MedSec did something notably different. It reached out to the Muddy Waters Capital LLC investment firm, suggesting a partnership to short sell St. Jude stock before reporting the vulnerabilities to the FDA. Under the deal, MedSec makes more money the further shares fall.
[...]The timing is trouble for St. Jude, which is in the process of finalizing a potential $25 billion acquisition by Abbott Laboratories.
[...]The decision to punish St. Jude in this fashion immediately triggered an ethics debate in the hacker and security community.
[...]MedSec says it found two 0 day exploits opening pacemakers to attack, either by draining the battery or crashing the device software (both require being relatively close to the target). But the group also found that the company's pacemakers often use no encryption nor authentication over wireless, and the devices all use the same password to connect to the St Jude network, opening the door to a reverse engineering hack on the network at large.
