Turns out, pacemaker security is terrifying

Be still my backdoored heart.

Journalist

Updated Fri, Apr 21, 2017, 3:55 PM·5 min read

The hacker who uses her wizard powers to get rich by manipulating stocks is a tired Hollywood trope. But that doesn't mean some hackers don't dream about making the fantasy come true, or that the ridiculous vulnerabilities necessary to facilitate such a thing don't exist.

Some hackers do indeed have that dream. And reductive Hollywood-style vulns in critical financial (and other) systems are as real as they are plentiful in our world of crap security.

It's just rare that all these things come together in a real-life event, as they have with the St. Jude Medical pacemaker-hacking debacle. And it's even more awful when someone dies in the background as companies fight over press coverage, hacks and cash -- which is exactly the twist that happened this week.

If you're not familiar with the story, here's the light version.

Last August, short-selling firm Muddy Waters and its business partner, security company MedSec Holdings, released a set of scathing and hotly contested findings. The report said St. Jude Medical's pacemakers and implantable heart devices have critical security flaws.

Rather than the standard disclosure process, in which researchers go to the manufacturer first so they have an opportunity to fix and patch the flaws, both MedSec and Muddy Waters went public. As in, to the press. Where MedSec admitted that its payment for the damning security findings on St. Jude Medical was tied to Muddy's profits.

Muddy Waters founder Carson Block gave investors -- and press -- a report warning "that tens of thousands of Americans are living with ticking time bombs: St. Jude pacemakers and defibrillators that are easily compromised, causing potentially fatal disruptions."

Even though that is still in the realm of Hollywood and CSI: Cyber fantasy, Block went on Bloomberg TV spreading some serious fear. "The nightmare scenario is somebody is able to launch a mass attack and cause these devices that are implanted to malfunction." He added that St. Jude Medical "should stop selling these devices until it has developed a new secure communication protocol."

While there have been documented cases of police investigations supported by pacemaker surveillance, there have been no documented cases of mass pacemaker hacking.

The report hit the news, and shares of St. Jude immediately fell 5 percent. St. Jude Medical called the Muddy Waters report "false and misleading," saying most of the findings applied to older and unpatched versions of its devices.

In a blog post, MedSec CEO Justine Bone gave a parenthetical on why it didn't disclose to the manufacturer first, saying the company believed St Jude Medical "has known about security problems in their products since at least 2013." But MedSec said that because the devices had such bad security, it believed going to the press and Muddy Waters was "the only way to spur St Jude Medical into action."

"For the past 18 months, our team has been quietly evaluating the security of various medical devices," wrote Ms. Bone. She continued: "One company, St Jude Medical, has stood out as lagging far behind. For years this company has continued to put patients at risk by profiting from the sale of devices and a device ecosystem which has little to no built-in security."

Some in infosec said the researchers were endangering patients and behaving unethically by not telling St. Jude Medical about the problems first. Debates raged about responsibility, disclosure and the role of the press. Some wondered if the findings were reproducible, and called for independent audits to objectively determine what was really going on -- some researchers even had conflicting findings.

Ultimately, St. Jude Medical's stock plunged as much as 10 percent in the aftermath. The company launched a lawsuit against MedSec and Muddy Waters, and the three firms skirmished in the press again when MedSec's findings were allegedly reproduced by security firm Bishop Fox. What's more, the second set of researchers claimed they could take over the pacemakers at a distance of around 10 feet.

At the time of the Muddy Waters press drama, the Food and Drug Administration declined to comment on St. Jude's devices.

Now the FDA has something to say, and it looks like MedSec was right. According to a scathing letter from the FDA, St. Jude Medical knew about grave security issues in its implantable medical devices as early as 2014 "but failed to address them with software updates or by replacing those devices."

The government concluded that St. Jude Medical, "time and again, failed to adhere to internal security and product-quality guidelines, a lapse that resulted in at least one patient death."

Despite learning about vulns in its April 2014 security tests from a hired third party, St. Jude Medical "failed to accurately incorporate the findings of that assessment" in subsequent risk evaluations for its devices. The FDA said one of the serious flaws is a "hardcoded universal unlock code" for the company's High Voltage heart implants.

St. Jude Medical parent company Abbott responded with a statement saying that "patient safety comes first" and it "takes these matters seriously, continues to make progress on our corrective actions, will closely review FDA's warning letter, and are committed to fully addressing FDA's concerns."

"It is refreshing to see the disclosure," Bone told press. "St. Jude Medical, for the first time, publicly acknowledge that they knew about [the security risks], but continued to sell these products and have them implanted in patients," she said.

I'll be honest: I didn't want to revisit the Muddy Waters, MedSec and St. Jude story. Going to the press before actually working for a fix isn't really a clever stick, and it's certainly not an effective one when there's no carrot. And then to see that bad behavior rewarded by a too-little-too-late FDA spanking...

It's a good reminder of why infosec's limelight addiction makes me sick. Making hack-scare headlines for profit about a situation in which someone actually died is repulsive.

And I don't know about you, but I scream into the wind every week right here on these pages wishing it wasn't happening. Not like this. I write hoping no one dies in the middle of a story where hackers say they want fixes, but maybe they're in it more for the cash-headlines-fame, and we can no longer determine what it looks like when they really do care.

REUTERS/Brendan McDermid (St. Jude Medical stock)

Engadget
Budget doorbell camera manufacturer fixes security issues that left users vulnerable to spying
Eken Group has issued a firmware update to resolve major security issues with its doorbell cameras that were uncovered by Consumer Reports. The cameras are sold under the brands Eken, Tuck, Fishbot, Rakeblue, Andoe, Gemee and Luckwolf.
1h ago
Engadget
Google asks court to reject the DOJ’s lawsuit that accuses it of monopolizing ad tech
Google filed a motion on Friday in a Virginia federal court seeking summary judgment for the Department of Justice's antitrust case against it. The DOJ sued Google at the beginning of 2023 for alleged monopolistic practices.
4h ago
Engadget
Some Apple users say they’ve been mysteriously locked out of their accounts
Apple users reported starting Friday night that they were signed out of their Apple IDs and in some cases made to change their passwords. It's unclear yet how many users have been affected or what the underlying cause of the issue is.
6h ago
Engadget
I played Fire Emblem Engage on easy mode, and it got me back into gaming
"Sure, winning battles and matches in more difficult modes will feel more rewarding, but not every gaming experience has to be a challenge."
10h ago
Engadget
Apple has reportedly resumed talks with OpenAI to build a chatbot for the iPhone
Apple has resumed talks with OpenAI, the maker of ChatGPT, to build an AI-powered chatbot into the iPhone, according to a new report.
22h ago
Engadget
The FTC accuses Amazon of using Signal’s auto-deleting messages to erase evidence
As part of its antitrust suit against Amazon, the FTC accused the company of using Signal’s disappearing messages feature to conceal communications.
1d ago
Engadget
Drake deletes AI-generated Tupac track after Shakur’s estate threatened to sue
Drake apparently learned it isn’t wise to mess with Tupac Shakur — even nearly three decades after his death. Tthe Canadian hip-hop artist deleted the post with his track “Taylor Made Freestyle,” which used an AI-generated recreation of Shakur’s voice.
1d ago
Engadget
Aaron Sorkin is working on a Jan. 6-focused follow-up to The Social Network
Aaron Sorkin has announced that he’s currently writing a followup script to The Social Network. The original was his take on the initial years of Facebook.
1d ago
Engadget
Samsung's Galaxy S24 Ultra falls to a new low, plus the rest of the week's best tech deals
This week's best tech deals include a new low on the Samsung Galaxy S24 Ultra, Apple's MacBook Air M3 for $989 and Anker's Soundcore Space A40 earbuds for $49, among others.
1d ago
Engadget
Nikon’s Z8 is a phenomenal mirrorless camera for the price
Nikon's Z8 is one of the highest resolution full-frame cameras with 45 megapixels, but is also one of the fastest and has incredible video capabilities too.
1d ago
Engadget
Some of our favorite Bose headphones and earbuds are back to all-time low prices
Amazon has some of the highest-rated Bose headphones on sale for record-low prices. That includes the Bose QuietComfort Ultra headphones, which have best-in-class active noise cancellation (ANC).
1d ago
Engadget
Apple's 13-inch MacBook Air with the M3 chip has never been cheaper
The latest Apple MacBook Air with the M3 chip is down to a new low price at Amazon.
1d ago
Engadget
NHTSA concludes Tesla Autopilot investigation after linking the system to 14 deaths
The National Highway Traffic Safety Administration has concluded a lengthy investigation into Tesla’s Autopilot system. It found 13 fatal crashes due to misuse and software that doesn’t prioritize driver attentiveness.
1d ago
Engadget
Wacom's first OLED pen display is also the thinnest and lightest it has ever made
Wacom's latest pen display model is called Movink, and it's the company's first with a OLED screen. It's also Wacom's thinnest and lightest option ever, while still offering 13 inches of work space.
1d ago
Engadget
It doesn’t matter how many Vision Pro headsets Apple sells
This week, there was a lot of back and forth about Apple Vision Pro production numbers. Here's why they don't matter.
1d ago
Engadget
The Google Pixel Buds Pro are back on sale for $135
Google's Pixel Buds Pro are on sale for $135 at Wellbots, which is the lowest price we've seen this year.
1d ago
Engadget
Dell XPS 13 and XPS 14 review (2024): Gorgeous laptops with usability quirks
Dell’s XPS 13 and 14 are stylish, portable and powerful. You’ll have to get used to some of its design quirks, though, and it’s far pricier than older models.
1d ago
Engadget
OpenAI's Sam Altman and other tech leaders join the federal AI safety board
Sam Altman, OpenAI's CEO, Microsoft chief Satya Nadella, Alphabet CEO Sundar Pichai are joining the government's Artificial Intelligence Safety and Security Board, according to The Wall Street Journal.
1d ago
Engadget
The best gaming gear for graduates
New graduates have earned the time to unwind after a busy year. These pieces of gaming gear would make great gifts for the new college graduate in your life.
a year ago
Engadget
The Morning After: Apple announces an iPad event for May 7
The biggest news stories this morning: Adobe’s new upscaling tech uses AI to sharpen video, BlizzCon 2024 is canceled, The world’s biggest 3D printer can make a house in under 80 hours.
1d ago

Turns out, pacemaker security is terrifying

Be still my backdoored heart.

Latest Stories

Budget doorbell camera manufacturer fixes security issues that left users vulnerable to spying

Google asks court to reject the DOJ’s lawsuit that accuses it of monopolizing ad tech

Some Apple users say they’ve been mysteriously locked out of their accounts

I played Fire Emblem Engage on easy mode, and it got me back into gaming

Apple has reportedly resumed talks with OpenAI to build a chatbot for the iPhone

The FTC accuses Amazon of using Signal’s auto-deleting messages to erase evidence

Drake deletes AI-generated Tupac track after Shakur’s estate threatened to sue

Aaron Sorkin is working on a Jan. 6-focused follow-up to The Social Network

Samsung's Galaxy S24 Ultra falls to a new low, plus the rest of the week's best tech deals

Nikon’s Z8 is a phenomenal mirrorless camera for the price

Some of our favorite Bose headphones and earbuds are back to all-time low prices

Apple's 13-inch MacBook Air with the M3 chip has never been cheaper

NHTSA concludes Tesla Autopilot investigation after linking the system to 14 deaths

Wacom's first OLED pen display is also the thinnest and lightest it has ever made

It doesn’t matter how many Vision Pro headsets Apple sells

The Google Pixel Buds Pro are back on sale for $135

Dell XPS 13 and XPS 14 review (2024): Gorgeous laptops with usability quirks

OpenAI's Sam Altman and other tech leaders join the federal AI safety board

The best gaming gear for graduates

The Morning After: Apple announces an iPad event for May 7

About

Sections

Contribute

Buying Guides