back to article St Jude patching Merlin@home heart kit

Months after steadfastly denying its heart implants have serious security vulnerabilities, St Jude – now owned by Abbott Laboratories – has issued a patch. The company's press release is here. Last year, a pentester and an investor pulled a now-notorious double act on St Jude, shorting its stock before publishing the …

  1. Anonymous Coward
    Anonymous Coward

    How about we be given the option of audits…?

    Peoples' lives depend on these devices working as advertised, how about making the firmware sources and related documentation for how these devices work open so that the end users can (or can pay someone they trust to) review?

    The devices are likely built on patented technology which covers the hardware and algorithms, and copyright will cover the firmware as implemented.

    I'm not asking for the devices to be made "open source" … for good reasons, the devices should expect firmware updates to be cryptographically signed. An outsider should be able to take your sources, build them, and come up with a firmware binary image that can be compared with the official one for similarities.

    1. david 12 Silver badge

      Re: How about we be given the option of audits…?

      .. like OpenSSL. "many eyes"...

      1. Anonymous Coward

        Re: How about we be given the option of audits…?

        True, I never said it guaranteed audits, but the difference with OpenSSL, bash, and other high-profile security issues, is we, all of us, had the option to perform an audit, and still do now.

        With these medical devices, often it isn't an option. Don't believe me? Go ask Karen Sandler, who wished to find out about a pacemaker she had installed.

        This is the fundamental difference. I accept that there is no guarantee that an audit will be done … but the possibility of one being done, and/or the option of doing your own, trumps having to just trust on blind faith that the code for a particular widget does what it says on the tin and nothing else!

        1. JimC

          Re: How about we be given the option of audits…?

          How valuable is an option that no-one takes up? Out in the real world there are few who are technically competent enough, few who can be trusted, fewer yet who are interested and almost no-one who matches all 3 sets. If it trumps trusting on blind faith its arguably only in the sense of the 2 still being a trump when there are only 15 cards left and 13 of them are trumps...

          1. phil 27

            Re: How about we be given the option of audits…?

            Because Jim, for all the thousands of eyes that miss your criteria, having the stuff around to take a peek at when something catches your attention, does very occasionally catch a gotcha before its a problem. And the more eyes that look at it, the more chance of that odd neuron firing in the brain of someone who hasn't been trained to think in a certain way by our method of social conditioning known as education.

            Of course, unless its a self promo seeking consultancy with a website with a logo for the vuln etc, this process is transparent. Even more so if paid to check, as the client buys stealth, its no-ones interest to tell anyone, except maybe finance when they come round trying to get rid of all the people who make a difference because it doesn't show in some beancounters spreadsheet because its almost unquantifiable.

            Just because you don't know someone who's found something and worked to get it fixed quietly, doesn't mean in any way shape or form that's not going on continually around you. Even with closed source and binary things too.

            1. JimC

              Re: How about we be given the option of audits…?

              But is "security by hoping some random whitehat will look at your code before a blackhat does" really very much better than security by obscurity? Because that seems to be what's on offer here. Sometimes it even feels like a sort of horrible complacency "I've open sourced my code so some nice person will look for holes for me" giving a kind of warm feeling without actually going to all the trouble and expense of getting a fully competent 3rd party in to do the job before its released. Just the sort of solution the beancounters and PHBs favour now I think about it.

              I'm not going to pretend I know a good answer to the appalling state of the products kicked out by the flakey industry I work in, but hoping for an odd neuron to fire in a random brain doesn't sound especially reliable to me.

              1. Paul Crawford Silver badge

                Re: How about we be given the option of audits…?

                Both open and closed source projects have equally shitty histories when it comes to security, though at least with open source ones you have the *chance* to find/fix stuff even if its out of support or the vendor has lost interest, gone bust, etc.

                Nope, sadly the only answer is to make legally enforceable standards for software that can have any serious physical or financial impact, and for those creating systems around them (e.g. putting plant controllers in t'Internet in order to save maintenance costs without a secure, tested, VPN systems in place, or an insecure radio connection, etc).

                Once said PHB realises he could face jail-time for badly managing system security (e.g. not having it audited by someone competent and/or acting on said feedback) then action might be taken.

                1. Robert Helpmann??

                  Re: How about we be given the option of audits…?

                  Open source is not enough to get eyes on if the people who are competent to check the code have no incentive to do so. If the code in question only applies to a niche market, then it is unlikely that anyone will spend time investigating or testing out of idle curiosity. In fact, it is unlikely that that enough potential testers will even be aware that there is something to look at. It would seem that this would call for a bug bounty to attract outside eyes, a dedicated security testing group internally or both.

    2. Voland's right hand Silver badge

      Re: How about we be given the option of audits…?

      A real audit or a pen-test by a proper crew is expensive. You are looking at sums north of 200K for a pop. 99% of PHBs will balk at that number and do it only if it is a regulatory requirement.

      So unfortunately, if these devices are to be audited or pen-tested there are only two options.

      1. Short the stock and have the hacker make the money there. Make this is the norm and do not complain when it is being done to you.

      2. Make the auditing/pen-testing a regulatory requirement and create a market where you can hire crews to do so.

      A beneficial side effect of both is that some of the grews operating in the grey (or even black) area today may move to more white hat jobs so either case is win-win (provided that you do not have congressmorons adding them to embargo lists without a shred of evidence to support it).

  2. Pompous Git Silver badge

    I'm keeping a very close eye...

    ... on anyone who enters my bedroom with a toolkit and the laptop-like device that one uses to control the CRT-D. So far, so good...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like