back to article Our pacemakers are totally secure, says short-sold St Jude

The manufacturer of pacemakers and defibrillators has slammed a report by security researchers, arguing it puts patients' lives at risk. On Thursday security startup MedSec claimed that St Jude Medical pacemakers and defibrillators were easily hackable and that hackers could either run down the batteries in patent's implanted …

  1. Sebastian A
    Facepalm

    Thankfully the US will soon have a president who'll hold Wall St to account for these kinds of shenanigans. Oh wait...

    1. kain preacher

      That's called insider trading. The feds can go after them

      1. Dr_N

        US politicians are exempt from insider trading laws.

        Shocking, but true.

      2. Anonymous Coward
        Anonymous Coward

        That's called insider trading. The feds can go after them

        I'm not sure it's insider trading but it sure is a dodgy type of reverse pump & dump. Worth keeping an eye on - especially if the basis of this report turns out to be false there will be all sorts of fun consequences.

        If it is NOT followed up in court I suspect Wall Street will have a new way to manipulate stock without consequences. Not that they appear to need that, but it made a profit. As far as I understand the US brand of capitalism, that appears to function as a sort of universal get-out-of-jail card.

        1. Primus Secundus Tertius

          Exactly right, AC!

          Not insider trading, but shaking the market with irresponsible rumours and waiting for the money to fall out.

          Happens in London as well, as I am sure you know.

        2. kain preacher

          `

          Insider trading is much different in the US then in the UK. Insider trading is if you have information that is not available to the general public that can affect the share prices and is used to make money off the information. It does not require you to work for the company. IE you find out that a product is about to be labeled defective. The gov is going to issue a recall before making it public.

          1. Anonymous Coward
            Anonymous Coward

            Re: `

            Insider trading is if you have information that is not available to the general public that can affect the share prices and is used to make money off the information.

            Yes, but is it insider trading if you simply make shit up? In that case you're misleading investors by making it appear you have insider information, but in reality you're just trolling a stock to short it. I'm not sure what laws that breaks, but I suspect the SEC may have that answer ready to roll.

  2. Gene Cash Silver badge
    Thumb Up

    Finally

    Crap security is starting to become a monetary concern to the manufacturers.

    Good! Maybe it'll start being a concern when they code the next product.

    I see they didn't contact the manufacturer, but they sound like the sort of self-rightous "It couldn't happen to OUR product" assholes that would have swept it under the rug and instantly threatened lawsuits. Instead, they got a public beating that seems to have been fairly productive.

    1. Old Handle

      Re: Finally

      Absolutely, I see that as a good thing. Now if it turns out they released bogus information in order to manipulate the stock price, I hope they get in serious trouble, we'll have to wait and see.

  3. Oengus

    When there is a quick buck to be made.

    Responsible disclosure rules

    When there is a quick buck to be made most of the "Bloomberg/Dealers/Traders" types will jump at the opportunity and cash in and damn responsible behaviour. Doubly so when there is a "loophole" they think can exploited.

    1. heyrick Silver badge

      Re: When there is a quick buck to be made.

      I think it is simply that "responsible behaviour" is fundamentally incompatible with the market. You can't cash in while being "nice".

  4. Andrew Commons

    Faraday cage?

    "Once the device is implanted into a patient, wireless communication has an approximate 7-foot range."

    Regardless of the sensitivity of the receiver or the strength of the transmitter used by the attacker?

    1. Goopy

      Re: Faraday cage?

      Ya gotta love how MedSec hasn't yet said a word on how they did the tests. Good point, mate!

    2. ecarlseen

      Re: Faraday cage?

      This. Anyone who goes around saying that "the range of this product is x" when they don't control all sides of communication is full of it. It's not just sensitivity and strength - the right antenna(s) make a huge difference as well.

    3. Paul Renault

      Re: Faraday cage?

      I saw that range of 7 feet and through: Whaaa! It should be inches, not feet!

    4. a_yank_lurker

      Re: Faraday cage?

      Both sides are probably ladling the BS though I think the company is probably laying out less. The "report" was issued in a manner to cause a share price drop so some short sellers could make a killing (pun intended). These devices are vulnerable because they require a radio link for some of the functionality. However, how easy are the vulnerabilities to exploit is also important. If the company claims are reasonably close to reality then the real story is not they exist but they are difficult use and the vast majority of patients do not need to worry.

  5. paulf
    Coat

    Let's get this straight

    One company finds a security hole in another company's products and accuses that company of not fixing them because they put profit before safety but before disclosing their findings they place a bet on that company's shares in the hope their (disputed) report pushes the share price down which it does thus they make a profit at the expense of the safety that would have resulted from a prompt disclosure.

    Surely this is just a sophisticated pump and dump scam?

    1. Mark 85

      Re: Let's get this straight

      More like market manipulation which can be "pump and dump" but that's something different. I wondering how the SEC will respond to this as this whole scenario does stink to high heaven. While I find it interesting that MedSec would do this, not contacting St. Jude before selling short and announcing really seems unethical to me.

      1. paulf
        Pint

        Re: Let's get this straight

        @ Mark 85 "More like market manipulation..."

        You're right. By means of an excuse, I wrote that comment at 0500 (long story) on BH Monday and as I'd only had one coffee by then the brain was more sludgy than normal. Icon - what I enjoyed several of that evening after a long day.

  6. Ru'

    Surely they could fall foul of all the missuse of computer equipment hacking type charges often levelled at hackers of government systems? It's one thing finding weaknesses and reporting them to the manufacturer so they can be fixed, but quite another making a quick buck first.

    1. Goopy

      Uh, At. Jude isn't a government entity, so how does your guess play out?

  7. Anonymous Coward
    Anonymous Coward

    If the company really has faith in their products, then they can buy their shares back when they're cheap and come out well ahead in the long run.

  8. Clive Harris

    St Jude? What a name!

    St Jude, otherwise known as St Judas, is traditionally the patron saint of lost causes. I'm not sure I'd want his name attached to a vital piece of medical equipment.

    Explanation: St Judas, i.e. the "good Judas", or the "other Judas", seems to have been a good bloke, but had the misfortune to share the same name as the worlds most infamous traitor - a bit like having the surname "Hitler", only worse. As a result, he was going to have a rough ride whatever he did. I think that's why, in some peoples' minds, he ended up as the "Saint of Last Resort", specialising in doomed enterprises.

  9. Natalie Gritpants

    Who wins, who loses?

    Some shareholders have sold at lower than they would have - losers

    The short selling parasites have made some money - winners

    Medsec have blown their reputation for a scummy deal - total losers

    1. katrinab Silver badge

      Re: Who wins, who loses?

      Some shareholders bought shares for a higher price than they would have, had they known the full information about the company that the seller was in possession of.

      Shorting shares works like this: You borrow shares from a mutual fund, pension fund or similar. You sell those shares on the market. You buy them back at the end of the loan period at hopefully a cheaper price than you sold them for, and you hand them back to the lender.

  10. Pascal Monett Silver badge
    Facepalm

    "Muddy Waters, the Wall Street firm"

    A Wall Street firm named Muddy Waters.

    Are they actually trying to make people understand what a cesspit the whole Stock Exchange thing has become ?

    1. Anonymous Coward
      Facepalm

      Re: "Muddy Waters, the Wall Street firm"

      This is America. It is probably the founder real life and parent given name.

      1. cd
        Joke

        Re: "Muddy Waters, the Wall Street firm"

        They re trying to represent themselves as a Blues Chip stock.

  11. lglethal Silver badge
    WTF?

    Two points

    1) How on Earth do you pick up a second hand Pacemaker on ebay?!?!?!?!?!?!??!?!

    2) I hope the SEC Take MedSec and Muddy Waters to the absolute cleaners. this is absolutely disgraceful behavior. Ethics, I'm sure they've heard of them. ("That's that place near Wethics, right?")

    1. Trevor_Pott Gold badge

      Re: Two points

      Company A buys pacemakers to hold them in stock as it is a warehouser or retailer of medical supplies to the Americal private medical industry.

      Company A goes out of business and has its assets sold off to pay creditors.

      Company A assets which cannot be immediately sold via reputable channels are sold to scavengers who specialize in offloading anything and everything on the secondhand market.

      Company B buys pacemaker on ebay from scavenger hawking remains of Company A's assets.

      If you look hard enough, you can find anything excepting better-than-university-grade fissionable material sold in this fashion, but if you work at it you can get some gas centrifuges and ------++++++CARRIER LOST

      1. Alistair
        Coat

        Re: Two points

        +++++

        TRIANGULATION DATA FOLLOWS:

    2. Queeg

      Re: Two points

      I kid you not...

      It is illegal in most countries to incinerate powered medical devices.

      After death Pacemakers/Defibrilators are removed before cremation.

      They can then be sterilised, tested, recharged and believe it or not

      implanted into Horses* and other large animals.

      Thereby giving plenty of opportunity for 2nd hand equipment to fall into the wrong hands.

      *Got it from the Horses mouth(Cardiologist Consultant)

    3. Andrew Commons

      Re: Two points

      http://www.ebay.com/bhp/medtronic-pacemaker

      1. Old Handle
        Trollface

        Re: Two points

        Wow, they're cheep! Next time I need a pacemaker I'm getting it on eBay. I'll save a bundle.

        1. Pompous Git Silver badge

          Re: Two points

          Given that my CRT-D is a bit more than just a pacemaker and cost $AU60,000, I suspect that you might get what you pay for on eBay. The voices in my head told me they make you stick your arm out straight and repeatedly say "EX-TERMINATE" and "PUT IT IN THE CURRY" in a somewhat mechanical voice.

          Pakistani Daleks

  12. jjrr

    That's great

    This is the way to go: we'd see some progress if company stocks got whacked every time they release products with lousy security.

    1. sabroni Silver badge
      Facepalm

      Re: That's great

      we'd see some progress if company stocks got whacked every time someone released fictional security warnings.

      1. jjrr

        Re: That's great

        That's a fair comment, but it is illegal to manipulate public stock by way of false information. I'd imagine that going all out with a false security advisory is just as illegal as declaring falsely that e.g. a CEO is resigning.

  13. Chris G

    The essence of Free Marketeering

    Start a rumour about someone, sell them short and ass rape them, when the smoke has cleared you have their true worth??!!

    Here is Muddy Waters the short seller; http://www.muddywatersresearch.com/about/

    And here the original Blues guy; https://www.youtube.com/watch?v=w5IOou6qN1o

    I know wihich one I prefer.

  14. allthecoolshortnamesweretaken

    "Rather than inform the company, MedSec did a deal with a Wall Street firm to short-sell St Jude stock and then go public with the news."

    Oh, the joys of capitalism.

    1. Adam Foxton

      That's not Capitalism.

      That's crime.

      1. Steve Knox

        Re: That's not Capitalism.

        That's crime.

        Presumes a significant difference.

  15. tekHedd

    7 feet?

    Ethics aside, has St Jude ever heard of directional antennas?

  16. Adam Foxton

    7 Foot range for an immobile target

    It's a good thing people with Pacemakers are in the peak of physical health and don't need to lay still in, say, a Hospital bed. Or at home. Or sit in a car. Or anywhere else that could be fitted with a pinging 'bug'.

    And that's before all the comments above about different aerials etc kick in.

    1. Donn Bly

      Re: 7 Foot range for an immobile target

      Actually, most people with pacemakers (well, at least 100% of the people that I know that have them) are quite active, often more-so than the average person of their age.

      The reason is that since they have already had a close call they generally aware of he ramifications of a sedentary lifestyle and go out of their way to make sure that it doesn't happen again.

    2. Wayne Sheddan

      Re: 7 Foot range for an immobile target

      Most already carry a wifi 'ping bug' tool. Its called a smartphone... And you're guaranteed that it will be within 2.4Ghz range almost all the time. No need to stay still anyway!

      My guess is the manufacturers are already developing smartphone apps that talk to the implanted devices to enable continuous logging e.g. a smartphone based ECG logger.

      What do you mean when you say my phone is allowed to access the pacemaker in my chest?

  17. rdhood

    7 ft range...

    If the thing is implanted in my chest, it needs to have secure communications at ANY distance. Limiting comms to 7ft... or even 7mm... might prevent a mass attack, but it doesn't prevent a targeted attack.

    1. Pompous Git Silver badge

      Re: 7 ft range...

      As a wearer (?) of a St Jude cardiac resynchronisation device & defibrillator (rather more than a pacemaker) there's a couple of things to note. The device speaks to a box (Merlin@home Transmitter) that I need to sleep near so the CRT-D can tell it when things go awry. The Merlin is connected to the telephone line for the purposes of transmitting data to the St Jude website and which then automatically emails my cardiologist.

      I must be within 3 metres of the Merlin for it to work and that's ~10 feet, not 7. When I asked if information can be transferred from the Merlin to the CRT-D, I was told not. The device the technologist uses to make changes to the CRT-D's settings is via an induction coil that sits on my chest.

      I suspect that in order to change the settings on the CRT-D, potential miscreants would need to lure me within range of a very large induction induction coil, or heavily disguise themselves as my GP and use a stethoscope with an unusually large listening piece.

      Apropos being immobilised by my condition, the reverse is the case. For a decade I was diagnosed as a chronic asthmatic and was always short of breath. By last December I had to stop for a breather after walking a hundred metres. Since the correct diagnosis of heart failure and change in drugs, I have resumed (almost) all of the things I used to be able to do and suspect I'm physically more active than the average joe.

  18. Nya

    Medical Devices

    And hacking of medical devices is new? It, it's the only way many devices actually do what's actually needed due to the piss poor security and the fact with a bit of home fiddling and you can access them far beyond what the manufacturers claim are possible.

    Security to these companies is seen as one of those "not needed" or something they'll only watch what the opensource community is doing to improve their devices and then going out of their way to make it harder to prevent the community having home brew hardware far in advance of that they sell. But security to protect people?! That's never been on the agenda.

    1. Pompous Git Silver badge

      Re: Medical Devices

      it's the only way many devices actually do what's actually needed due to the piss poor security and the fact with a bit of home fiddling and you can access them far beyond what the manufacturers claim are possible.

      The Merlin Programmer is a dedicated device that runs its software on Linux.

      Merlin™ Patient Care System

      I doubt that it's something a "home fiddler" would find in the garage.

      1. Saigua

        Re: Medical Devices

        That happens to be exactly what wannaboffins would find in the garage if only they let go the A2500 to have enough space for cellphones. The radio bits in phones sound like a perfectly good way to address things, but the sufficiency of the radio environment and cryptography to execution vulnerability exploit isn't absolutely certain. Let me know if you know St. Jude's responsible disclosure pipeline to be up to snuff; this action sounds like an egg well warmed and come to term.

        People in cities plagued with CSIOs and Medical Device Attorneys are seeing comic obtuse paean from security researchers. Try the Bloomberg, too: http://www.bloomberg.com/news/videos/2016-08-25/bone-st-jude-has-history-of-sweeping-things-under-table

        1. Pompous Git Silver badge

          Re: Medical Devices

          I'm not sure how an incoming call can somehow force the Merlin@home to pick up that call. Presumably the miscreant would have to wait until the Merlin makes a call and somehow persuade it to send information to the CRT-D in quite a different fashion than the CRT-D is designed to receive. AFAICT the Merlin/CRT-D comms are strictly one way. It can send, but not receive.

          I suspect that the current ubiquity of transceivers blinds some to the obvious to us oldies fact that transmitters are not receivers and vice versa. This was obvious when we were building our own gear back in the 50s and 60s. The only time my receivers transmitted was when I increased the feedback too much in the TRFs I used to build.

          If someone wants to kill me, I'd imagine it's a lot cheaper and more efficient to put a bullet through my head. Or put a lethal drug in my IV drip.

  19. razorfishsl

    So prosecute for market manipulation.

    1. Saigua

      What manipulation? That device design fraud isn't a possible thing?

      Do tell us, what sort of bounty was the FDA 10K process going to offer researchers who weren't exfiltrated from a completely different AMA/NHS universe?

  20. Cuddles

    Not really a denial

    "MedSec claimed that this was easily hackable after buying second-hand kit on eBay, but St Jude points out that such kit has to receive security updates in order to work."

    St Jude's point appears to be entirely unrelated to the original claim. Lots of things are hackable despite receiving security updates, all that is required is for said security updates not to cover the specific flaw/s used in a given attack. In other words, this appears to be an outright admission that their devices are, in fact, hackable, since the whole point is that they didn't know about this flaw and therefore couldn't have patched it in an update.

    1. Pompous Git Silver badge

      Re: Not really a denial

      Lots of things are hackable despite receiving security updates, all that is required is for said security updates not to cover the specific flaw/s used in a given attack. In other words, this appears to be an outright admission that their devices are, in fact, hackable, since the whole point is that they didn't know about this flaw and therefore couldn't have patched it in an update.

      While true, it's on a par with those many exploits that require physical access to the machine. In this instance, making changes to the device settings seems to require access via an inductive coupler. Listening to its output "remotely" seems possible, but that's not as big of a deal as accessing the output of all such devices via the web interface the clinicians use to receive reports.

      FWIW, my device reported an "event" a week ago Thursday at 4 am AEST. Having some third party know this doesn't seem to be at all life threatening.

  21. Gnosis_Carmot

    Relevant US law

    Section 9(a)(2)[1] of the Securities Exchange Act of 1934

  22. This post has been deleted by its author

    1. Poe
      FAIL

      Re: [fail]

      Your shipment of fail has arrived :/

  23. Pompous Git Silver badge

    For those who missed the deleted post...

    An AC who claimed to work in the industry made the point that the CRT-Ds can only receive data when under the influence of a powerful magnet; i.e what I took to be only an inductor also has such. Magnetism drops off rapidly with distance so to make us of this exploit would require close contact with the wearer (among many other improbable things).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like