
Demonstrations of Attacks Against Implanted Cardiac Devices [pdf] - maibaum
http://d.muddywatersresearch.com/wp-content/uploads/2016/08/MW_STJ_08252016.pdf
======
teuobk
This is more about stock price manipulation than it is about implantable
medical device security.

Having worked in the medical device industry for over a decade, I know first-
hand how bad the security situation is on the vast majority of devices. It's
by no means unique to St. Jude. The fact that these issues exist is also old
news, as noted in the Bloomberg article linked by jevinskie.

In addition to new devices continuing to take a lax approach to security,
there are the ongoing vulnerabilities in the older devices. The older models
continue to be sold, and many of the older devices are still implanted in
patients.

Is it an issue? Yes. Should something be done about it, perhaps by withholding
FDA PMA or 510(k) clearance on new insecure devices? Probably. Is it unique to
St. Jude? Not in the least.

~~~
manyxcxi
My first 'real' job as an engineer out of university was working for one of
the big three device makers at about the time they had released their first
model with a remote telemetry sensor that you would keep by your bed side. I
was so excited to get to play with 3G and remote sensing, and to top it off,
for devices that will literally save lives! Yeah, not so much.

I remember talking through the whole process with some of the engineers
deepest into it and thinking "holy crap this is bad." It then scared me more,
because I'm only 6 months out of university, what the heck should I know? But
this crap passed FDA approval and had a team of very expensive people working
on it.

I left that place after less than a year when I realized the only people I was
working with had been in the industry for 20+ years, were pretty much doing
the same thing they'd been doing for two decades, and more importantly, were
absolutely resistant to doing anything differently. I think that's one of the
biggest problems with medical devices- hardware/low level engineers are
generally older and not used to preventing the types of threats that you'd be
used to preventing if you spent most of your time building software thats on
an open network. They're not put in an environment that really rewards
adopting new technologies or practices, the development cycle is incredibly
long because of the approval processes, which means that whatever you get to
market is 3-5 years old at best, and they're constrained by hardware
limitations (for cost, battery life, and form factor) as well. For many
reasons, and a lot of them very good (people's lives depend on this stuff,
after all), you will always be working with hardware and software tooling at
least 5-10 years old. A lot of their products were just iterations off a
previous generation for better battery life, smaller form factor, etc. and
most of the codebase was from when I was in elementary school.

I worked with a lot of incredibly smart people that on their worst day could
do things with hardware that I'll never be able to do, but at the same time
they couldn't implement a secure communication protocol if it meant THEIR life
depended on it. Someone like myself that comes in bright eyed and full of
wonder is either going to lose their light or move on because there's just no
way to do anything truly novel in that space if you're working for one of the
well established companies. Don't get me wrong, when it comes to medical
devices, chasing new and shiny is no way to go. But a lack of version control,
a horrible QA test rig/system, and basically no diligence around a repeatable
process are not chasing new and shiny.

------
jevinskie
This is truly scathing. News article about the short:
[https://www.bloomberg.com/news/articles/2016-08-25/carson-
bl...](https://www.bloomberg.com/news/articles/2016-08-25/carson-block-takes-
on-st-jude-medical-with-claim-of-hack-risk)

------
mikekij
My company (W17 hopeful) is working to help med device vendors ensure basic
crypto and security practices. I agree with @teuobk below; these problems are
not unique to St. Jude.

BTW we're hiring. If you're reading this comment thread, you're probably a
great potential team member. Email in profile.

~~~
yoo1I
I'm only half joking, but can I join to convince the med device vendors who
you're helping to make implantable devices that have so little connectivity to
not need any crypto?

~~~
manyxcxi
There are some very valid reasons for basic communications. For example, a
doctor can wave a wand over the device and get telemetry info, which is
necessary in order to get it tuned to each individual, which takes time and a
number of visits. If you have a remote monitor (basically a high powered wand
that lives in your house) the doctor can get alerted if you go into defib or
have some other episode, or gather that info over time to make better
adjustments and decrease the frequency of visits. Changing settings on the
device generally needs to be done 'remotely' as well, as you don't likely want
a micro USB port in your armpit (or maybe you do).

The problem with most of these devices is that if you can get them to ACK, you
can pretty much get them to do whatever you want and the instruction set isn't
all that complicated once you've grabbed some data streaming through the air
for a little bit.

------
TickleSteve
This reads more like a poorly researched rant than a proper in-depth analysis
of the security.

------
grkvlt
The URL should have 'www' in it, as follows:
[http://www.muddywatersresearch.com/wp-
content/uploads/2016/0...](http://www.muddywatersresearch.com/wp-
content/uploads/2016/08/MW_STJ_08252016_2.pdf)

------
mindcrash
Looks like the paper was removed. Can anyone confirm?

------
S_Daedalus
None of this is new, and yet as far as anyone knows no one has ever yet met at
the intersection of hacking and murder.

~~~
thingexplainer
And why do you think we'd know?

~~~
S_Daedalus
For the same reason that we end up hearing about virtually everything,
eventually; people really stink at keeping secrets.

~~~
thingexplainer
This is the ultimate sample bias. Organizations are perfectly capable of
keeping secrets, even if they are composed of individuals evolved to
communicate the truth. We don't know how much we'll never know.

If we find out about clandestine activities (by governments or by private
citizens), it is often decades later. Given that the capabilities have existed
and been widely discussed for some time, it doesn't seem any more speculative
to assert that there have probably been assassinations as that there haven't
been. Radio connections don't leave behind much evidence.

~~~
S_Daedalus
What the radio connection does to the pacemaker probably does.

