Thankfully the US will soon have a president who'll hold Wall St to account for these kinds of shenanigans. Oh wait...
Our pacemakers are totally secure, says short-sold St Jude
The manufacturer of pacemakers and defibrillators has slammed a report by security researchers, arguing it puts patients' lives at risk. On Thursday security startup MedSec claimed that St Jude Medical pacemakers and defibrillators were easily hackable and that hackers could either run down the batteries in patent's implanted …
COMMENTS
-
-
-
Monday 29th August 2016 10:02 GMT Anonymous Coward
That's called insider trading. The feds can go after them
I'm not sure it's insider trading but it sure is a dodgy type of reverse pump & dump. Worth keeping an eye on - especially if the basis of this report turns out to be false there will be all sorts of fun consequences.
If it is NOT followed up in court I suspect Wall Street will have a new way to manipulate stock without consequences. Not that they appear to need that, but it made a profit. As far as I understand the US brand of capitalism, that appears to function as a sort of universal get-out-of-jail card.
-
Monday 29th August 2016 14:00 GMT kain preacher
`
Insider trading is much different in the US then in the UK. Insider trading is if you have information that is not available to the general public that can affect the share prices and is used to make money off the information. It does not require you to work for the company. IE you find out that a product is about to be labeled defective. The gov is going to issue a recall before making it public.
-
Tuesday 30th August 2016 13:53 GMT Anonymous Coward
Re: `
Insider trading is if you have information that is not available to the general public that can affect the share prices and is used to make money off the information.
Yes, but is it insider trading if you simply make shit up? In that case you're misleading investors by making it appear you have insider information, but in reality you're just trolling a stock to short it. I'm not sure what laws that breaks, but I suspect the SEC may have that answer ready to roll.
-
-
-
Monday 29th August 2016 03:02 GMT Gene Cash
Finally
Crap security is starting to become a monetary concern to the manufacturers.
Good! Maybe it'll start being a concern when they code the next product.
I see they didn't contact the manufacturer, but they sound like the sort of self-rightous "It couldn't happen to OUR product" assholes that would have swept it under the rug and instantly threatened lawsuits. Instead, they got a public beating that seems to have been fairly productive.
-
-
-
Monday 29th August 2016 23:07 GMT a_yank_lurker
Re: Faraday cage?
Both sides are probably ladling the BS though I think the company is probably laying out less. The "report" was issued in a manner to cause a share price drop so some short sellers could make a killing (pun intended). These devices are vulnerable because they require a radio link for some of the functionality. However, how easy are the vulnerabilities to exploit is also important. If the company claims are reasonably close to reality then the real story is not they exist but they are difficult use and the vast majority of patients do not need to worry.
-
Monday 29th August 2016 04:36 GMT paulf
Let's get this straight
One company finds a security hole in another company's products and accuses that company of not fixing them because they put profit before safety but before disclosing their findings they place a bet on that company's shares in the hope their (disputed) report pushes the share price down which it does thus they make a profit at the expense of the safety that would have resulted from a prompt disclosure.
Surely this is just a sophisticated pump and dump scam?
-
Monday 29th August 2016 04:47 GMT Mark 85
Re: Let's get this straight
More like market manipulation which can be "pump and dump" but that's something different. I wondering how the SEC will respond to this as this whole scenario does stink to high heaven. While I find it interesting that MedSec would do this, not contacting St. Jude before selling short and announcing really seems unethical to me.
-
Tuesday 30th August 2016 08:12 GMT paulf
Re: Let's get this straight
@ Mark 85 "More like market manipulation..."
You're right. By means of an excuse, I wrote that comment at 0500 (long story) on BH Monday and as I'd only had one coffee by then the brain was more sludgy than normal. Icon - what I enjoyed several of that evening after a long day.
-
-
-
-
Monday 29th August 2016 06:25 GMT Clive Harris
St Jude? What a name!
St Jude, otherwise known as St Judas, is traditionally the patron saint of lost causes. I'm not sure I'd want his name attached to a vital piece of medical equipment.
Explanation: St Judas, i.e. the "good Judas", or the "other Judas", seems to have been a good bloke, but had the misfortune to share the same name as the worlds most infamous traitor - a bit like having the surname "Hitler", only worse. As a result, he was going to have a rough ride whatever he did. I think that's why, in some peoples' minds, he ended up as the "Saint of Last Resort", specialising in doomed enterprises.
-
-
Monday 29th August 2016 21:00 GMT katrinab
Re: Who wins, who loses?
Some shareholders bought shares for a higher price than they would have, had they known the full information about the company that the seller was in possession of.
Shorting shares works like this: You borrow shares from a mutual fund, pension fund or similar. You sell those shares on the market. You buy them back at the end of the loan period at hopefully a cheaper price than you sold them for, and you hand them back to the lender.
-
-
-
Monday 29th August 2016 08:29 GMT Trevor_Pott
Re: Two points
Company A buys pacemakers to hold them in stock as it is a warehouser or retailer of medical supplies to the Americal private medical industry.
Company A goes out of business and has its assets sold off to pay creditors.
Company A assets which cannot be immediately sold via reputable channels are sold to scavengers who specialize in offloading anything and everything on the secondhand market.
Company B buys pacemaker on ebay from scavenger hawking remains of Company A's assets.
If you look hard enough, you can find anything excepting better-than-university-grade fissionable material sold in this fashion, but if you work at it you can get some gas centrifuges and ------++++++CARRIER LOST
-
Tuesday 30th August 2016 08:15 GMT Queeg
Re: Two points
I kid you not...
It is illegal in most countries to incinerate powered medical devices.
After death Pacemakers/Defibrilators are removed before cremation.
They can then be sterilised, tested, recharged and believe it or not
implanted into Horses* and other large animals.
Thereby giving plenty of opportunity for 2nd hand equipment to fall into the wrong hands.
*Got it from the Horses mouth(Cardiologist Consultant)
-
-
-
Tuesday 30th August 2016 23:50 GMT Pompous Git
Re: Two points
Given that my CRT-D is a bit more than just a pacemaker and cost $AU60,000, I suspect that you might get what you pay for on eBay. The voices in my head told me they make you stick your arm out straight and repeatedly say "EX-TERMINATE" and "PUT IT IN THE CURRY" in a somewhat mechanical voice.
-
-
-
-
Monday 29th August 2016 19:36 GMT Chris G
The essence of Free Marketeering
Start a rumour about someone, sell them short and ass rape them, when the smoke has cleared you have their true worth??!!
Here is Muddy Waters the short seller; http://www.muddywatersresearch.com/about/
And here the original Blues guy; https://www.youtube.com/watch?v=w5IOou6qN1o
I know wihich one I prefer.
-
Monday 29th August 2016 20:03 GMT Adam Foxton
7 Foot range for an immobile target
It's a good thing people with Pacemakers are in the peak of physical health and don't need to lay still in, say, a Hospital bed. Or at home. Or sit in a car. Or anywhere else that could be fitted with a pinging 'bug'.
And that's before all the comments above about different aerials etc kick in.
-
Monday 29th August 2016 21:11 GMT Donn Bly
Re: 7 Foot range for an immobile target
Actually, most people with pacemakers (well, at least 100% of the people that I know that have them) are quite active, often more-so than the average person of their age.
The reason is that since they have already had a close call they generally aware of he ramifications of a sedentary lifestyle and go out of their way to make sure that it doesn't happen again.
-
Monday 29th August 2016 22:41 GMT Wayne Sheddan
Re: 7 Foot range for an immobile target
Most already carry a wifi 'ping bug' tool. Its called a smartphone... And you're guaranteed that it will be within 2.4Ghz range almost all the time. No need to stay still anyway!
My guess is the manufacturers are already developing smartphone apps that talk to the implanted devices to enable continuous logging e.g. a smartphone based ECG logger.
What do you mean when you say my phone is allowed to access the pacemaker in my chest?
-
-
-
Monday 29th August 2016 23:25 GMT Pompous Git
Re: 7 ft range...
As a wearer (?) of a St Jude cardiac resynchronisation device & defibrillator (rather more than a pacemaker) there's a couple of things to note. The device speaks to a box (Merlin@home Transmitter) that I need to sleep near so the CRT-D can tell it when things go awry. The Merlin is connected to the telephone line for the purposes of transmitting data to the St Jude website and which then automatically emails my cardiologist.
I must be within 3 metres of the Merlin for it to work and that's ~10 feet, not 7. When I asked if information can be transferred from the Merlin to the CRT-D, I was told not. The device the technologist uses to make changes to the CRT-D's settings is via an induction coil that sits on my chest.
I suspect that in order to change the settings on the CRT-D, potential miscreants would need to lure me within range of a very large induction induction coil, or heavily disguise themselves as my GP and use a stethoscope with an unusually large listening piece.
Apropos being immobilised by my condition, the reverse is the case. For a decade I was diagnosed as a chronic asthmatic and was always short of breath. By last December I had to stop for a breather after walking a hundred metres. Since the correct diagnosis of heart failure and change in drugs, I have resumed (almost) all of the things I used to be able to do and suspect I'm physically more active than the average joe.
-
-
Monday 29th August 2016 22:10 GMT Nya
Medical Devices
And hacking of medical devices is new? It, it's the only way many devices actually do what's actually needed due to the piss poor security and the fact with a bit of home fiddling and you can access them far beyond what the manufacturers claim are possible.
Security to these companies is seen as one of those "not needed" or something they'll only watch what the opensource community is doing to improve their devices and then going out of their way to make it harder to prevent the community having home brew hardware far in advance of that they sell. But security to protect people?! That's never been on the agenda.
-
Tuesday 30th August 2016 00:03 GMT Pompous Git
Re: Medical Devices
it's the only way many devices actually do what's actually needed due to the piss poor security and the fact with a bit of home fiddling and you can access them far beyond what the manufacturers claim are possible.
The Merlin Programmer is a dedicated device that runs its software on Linux.
I doubt that it's something a "home fiddler" would find in the garage.
-
Tuesday 30th August 2016 04:40 GMT Saigua
Re: Medical Devices
That happens to be exactly what wannaboffins would find in the garage if only they let go the A2500 to have enough space for cellphones. The radio bits in phones sound like a perfectly good way to address things, but the sufficiency of the radio environment and cryptography to execution vulnerability exploit isn't absolutely certain. Let me know if you know St. Jude's responsible disclosure pipeline to be up to snuff; this action sounds like an egg well warmed and come to term.
People in cities plagued with CSIOs and Medical Device Attorneys are seeing comic obtuse paean from security researchers. Try the Bloomberg, too: http://www.bloomberg.com/news/videos/2016-08-25/bone-st-jude-has-history-of-sweeping-things-under-table
-
Tuesday 30th August 2016 07:06 GMT Pompous Git
Re: Medical Devices
I'm not sure how an incoming call can somehow force the Merlin@home to pick up that call. Presumably the miscreant would have to wait until the Merlin makes a call and somehow persuade it to send information to the CRT-D in quite a different fashion than the CRT-D is designed to receive. AFAICT the Merlin/CRT-D comms are strictly one way. It can send, but not receive.
I suspect that the current ubiquity of transceivers blinds some to the obvious to us oldies fact that transmitters are not receivers and vice versa. This was obvious when we were building our own gear back in the 50s and 60s. The only time my receivers transmitted was when I increased the feedback too much in the TRFs I used to build.
If someone wants to kill me, I'd imagine it's a lot cheaper and more efficient to put a bullet through my head. Or put a lethal drug in my IV drip.
-
-
-
-
Tuesday 30th August 2016 11:45 GMT Cuddles
Not really a denial
"MedSec claimed that this was easily hackable after buying second-hand kit on eBay, but St Jude points out that such kit has to receive security updates in order to work."
St Jude's point appears to be entirely unrelated to the original claim. Lots of things are hackable despite receiving security updates, all that is required is for said security updates not to cover the specific flaw/s used in a given attack. In other words, this appears to be an outright admission that their devices are, in fact, hackable, since the whole point is that they didn't know about this flaw and therefore couldn't have patched it in an update.
-
Tuesday 30th August 2016 16:58 GMT Pompous Git
Re: Not really a denial
Lots of things are hackable despite receiving security updates, all that is required is for said security updates not to cover the specific flaw/s used in a given attack. In other words, this appears to be an outright admission that their devices are, in fact, hackable, since the whole point is that they didn't know about this flaw and therefore couldn't have patched it in an update.
While true, it's on a par with those many exploits that require physical access to the machine. In this instance, making changes to the device settings seems to require access via an inductive coupler. Listening to its output "remotely" seems possible, but that's not as big of a deal as accessing the output of all such devices via the web interface the clinicians use to receive reports.
FWIW, my device reported an "event" a week ago Thursday at 4 am AEST. Having some third party know this doesn't seem to be at all life threatening.
-
-
This post has been deleted by its author
-
Wednesday 31st August 2016 10:25 GMT Pompous Git
For those who missed the deleted post...
An AC who claimed to work in the industry made the point that the CRT-Ds can only receive data when under the influence of a powerful magnet; i.e what I took to be only an inductor also has such. Magnetism drops off rapidly with distance so to make us of this exploit would require close contact with the wearer (among many other improbable things).