MedSec/Muddy Waters & The Future Of IoT Security

  /     /     /  
Publicated : 22/11/2024   Category : security


MedSec/Muddy Waters & The Future Of IoT Security


St. Jude vulnerability report could be test case for vulnerability disclosure.



The responsible vulnerability disclosure debate has lain relatively dormant for years but has just been rudely awoken. Last week, cybersecurity firm MedSec partnered with Muddy Waters to short-sell medical device company St. Jude Medical, releasing incomplete data about vulnerabilities in STMs pacemakers, implantable cardioverter-defibrillator devices, and the Merlin@Home monitoring device that communicates with them. The deal would enable MedSec to profit off of a drop in St. Judes stock.
The event has raised new questions about what this means not just for vulnerability disclosure, but for the future of IoT security.
Was It Necessary? 
In a
Bloomberg interview Aug. 25
, MedSec CEO Justine Bone said: ...given St. Jude Medicals track history of brushing these security issues to one side and basically making no changes whatsoever to their technology -- despite having researchers call their attention to issues in the past, despite the DHS investigation, despite FDA requirements that cybersecurity be prioritized -- nothing has changed in the St. Jude Medical technology suite. So we did not feel confident that the most effective way forward was to approach St. Jude Medical.
Bone did not respond to a request for comment on this story. 
The
pacemaker vulnerabilities
first exposed by the late Barnaby Jack in 2012 were known to impact multiple pacemaker vendors, but the full details about those vulnerabilities and affected makes/models were never revealed, because of Jacks untimely death days before he was due to present his research at Black Hat in 2013.
There are no CVE numbers listed vulnerabilities in St. Jude Medical devices or systems. Documented US Food and Drug Administration (FDA) warning letters to St. Jude Medical do not include any references to cybersecurity. An FDA representative confirmed to Dark Reading, To date, the FDA has not issued any warning letters or safety communications related to cybersecurity concerns specific to St. Jude Medical devices. 
St. Jude Medical also has a vulnerability disclosure program active on its website; several other medical device manufacturess have these programs now. The FDA, in cooperation with the Department of Homeland Securitys (DHS) ICS-CERT, are the official handlers of cybersecurity matters related to medical devices, and have
published guidance on cooperative vulnerability disclosure
.
A MedSec/Muddy Waters representative says they sent the FDA a report about the St. Jude vulnerabilities and estimated that it was e-mailed the day before the public report was released. The FDA told Dark Reading that they received the report the same morning the public report was released, and that it was identical to the public report.
Therefore, if St. Jude is to improve their security, they must do it without the direct help of MedSec: MedSec researchers are the only ones known to have full details about the vulnerabilities. Others, however, are looking.
The FDA and the DHS are currently doing an official investigation. University of Michigan professor and director of the Archimedes Center for Medical Device Security
Kevin Fu said this week
, “We’re not saying the report is false. ... We’re saying it’s inconclusive because the evidence does not support their conclusions. We were able to generate the reported conditions without there being a security issue.” 
Used Merlin@Home monitoring devices for sale on eBay have been selling quickly on eBay.   
Despite the progress made in medical device cybersecurity, some researchers say moves like MedSecs are still necessary.
From my experience, responsible disclosure does not always work, says IOActive security researcher Cesar Cerrudo, known for his work on satellites and other IoT devices. Cerrudo says, in fact, that responsible disclosure works less than half the time.  
Was it ethical?
There are two key questions here. Are there threats or costs to the patients that MedSec did not adequately consider? And is it ethically questionably for a security company to profit off a companys poor cybersecurity without helping them fix it?
As for financial costs, according to Healthcare Bluebook, a fair price for an insured patient in the United States to pay out-of-pocket to have a
pacemaker inserted
 is $25,924; to have an ICD inserted is $64,278.  That fair price generally falls within the 30th to 55th percentile of what patients actually pay. So, depending upon insurance, region, and choice of hospital to have the procedure done, many patients pay more than that. If an implanted device is recalled, some insurance companies are now coercing device manufacturers to give partial credits back to patients.
Marie Moe is both a pacemaker cybersecurity researcher and a pacemaker patient who says she is hacking her own heart. She told Dark Reading in a statement, As a patient I am angry, because the researchers did not seem to act in the interest of patient safety with their choice of disclosure strategy. They used fear mongering as a tactic to maximise their monetary profit. The lack of empathy is striking.
Moe
polled other patients
 when speaking at a conference earlier this week. They were more curious than any other emotion when they heard the MedSec news, but none thought that MedSecs actions were ethical. Moe also polled her Twitter followers, whose responses were mixed; however the majority still felt it was unethical:
Josh Corman, director of the Atlantic Councils Cyber Statecraft Initiative, founding member of I Am The Cavalry, and member of the US Department of Health and Human Services Health Care Industry Cybersecurity Task Force, points to one of I Am The Cavalrys positions on disclosure: Those concerned with public safety and human life should take sufficient care to avoid inadvertently putting them at risk.
However, Cerrudo argues this: I dont know why people get so mad because the didnt release the details. He points out that MedSec is getting criticized both for releasing too many details and not enough; and also that there is, as Bone said, no immediate threat to patients.
As for turning a profit, Cerrudo says, Any company can do what they want with their research. He does point out, however, that IOActive would not follow MedSecs lead.
Whats the lasting impact on IoT and medical device cybersecurity?
This will make it harder, says Corman. He points to progress that has been made, like the vulnerability disclosure guidance, and the fact that a medical device was actually recalled because of a cybersecurity concern. Device manufacturers, government agencies, and cybersecurity researchers working together have made progress, but adversarial actions like MedSecs action against St. Jude will work against it.
If you hurt relationships, he says, youre going to continue to have unsafe medical devices.
As a researcher I am worried about how this behaviour may make things worse for other researchers that do want to follow a coordinated disclosure process, says Moe. The betrayal of trust can make it more difficult for us to succeed with a more cooperative and less noisy approach.
Cerrudo, though, says, depending upon how this case shakes out, it could have a positive effect. If St. Jude doesnt recover, other companies may see MedSecs action as a red flag and decide We need to be careful, because someone could affect our stock price.
Will other companies follow suit?
Cerrudo says that while IOActive wont follow this model, others might, depending upon how successful it is for MedSec. 
Just how much MedSec will earn or has earned is a big question mark. It all depends on the short sell Muddy Waters made. They bet x amount of money that St. Jude stock would drop y points by z date and agree to give MedSec x percent of the winnings. How much does that up to? The details of the short-sell and the agreement were not publicly disclosed and a Muddy Waters/MedSec representative did not share anymore.
It remains unclear whether a company could earn anywhere near the amount of money fetched in some of the priciest bug bounties without necessarily having to find and prove they found something as elusive as a remote code execution bug in iOS. If so, that could have an enormous impact on the zero-day market that has been elusive.
 

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
MedSec/Muddy Waters & The Future Of IoT Security