Demonstrations of Attacks Against Implanted Cardiac Devices [pdf]
d.muddywatersresearch.comThis is more about stock price manipulation than it is about implantable medical device security.
Having worked in the medical device industry for over a decade, I know first-hand how bad the security situation is on the vast majority of devices. It's by no means unique to St. Jude. The fact that these issues exist is also old news, as noted in the Bloomberg article linked by jevinskie.
In addition to new devices continuing to take a lax approach to security, there are the ongoing vulnerabilities in the older devices. The older models continue to be sold, and many of the older devices are still implanted in patients.
Is it an issue? Yes. Should something be done about it, perhaps by withholding FDA PMA or 510(k) clearance on new insecure devices? Probably. Is it unique to St. Jude? Not in the least.
My first 'real' job as an engineer out of university was working for one of the big three device makers at about the time they had released their first model with a remote telemetry sensor that you would keep by your bed side. I was so excited to get to play with 3G and remote sensing, and to top it off, for devices that will literally save lives! Yeah, not so much.
I remember talking through the whole process with some of the engineers deepest into it and thinking "holy crap this is bad." It then scared me more, because I'm only 6 months out of university, what the heck should I know? But this crap passed FDA approval and had a team of very expensive people working on it.
I left that place after less than a year when I realized the only people I was working with had been in the industry for 20+ years, were pretty much doing the same thing they'd been doing for two decades, and more importantly, were absolutely resistant to doing anything differently. I think that's one of the biggest problems with medical devices- hardware/low level engineers are generally older and not used to preventing the types of threats that you'd be used to preventing if you spent most of your time building software thats on an open network. They're not put in an environment that really rewards adopting new technologies or practices, the development cycle is incredibly long because of the approval processes, which means that whatever you get to market is 3-5 years old at best, and they're constrained by hardware limitations (for cost, battery life, and form factor) as well. For many reasons, and a lot of them very good (people's lives depend on this stuff, after all), you will always be working with hardware and software tooling at least 5-10 years old. A lot of their products were just iterations off a previous generation for better battery life, smaller form factor, etc. and most of the codebase was from when I was in elementary school.
I worked with a lot of incredibly smart people that on their worst day could do things with hardware that I'll never be able to do, but at the same time they couldn't implement a secure communication protocol if it meant THEIR life depended on it. Someone like myself that comes in bright eyed and full of wonder is either going to lose their light or move on because there's just no way to do anything truly novel in that space if you're working for one of the well established companies. Don't get me wrong, when it comes to medical devices, chasing new and shiny is no way to go. But a lack of version control, a horrible QA test rig/system, and basically no diligence around a repeatable process are not chasing new and shiny.
This is truly scathing. News article about the short: https://www.bloomberg.com/news/articles/2016-08-25/carson-bl...
My company (W17 hopeful) is working to help med device vendors ensure basic crypto and security practices. I agree with @teuobk below; these problems are not unique to St. Jude.
BTW we're hiring. If you're reading this comment thread, you're probably a great potential team member. Email in profile.
I'm only half joking, but can I join to convince the med device vendors who you're helping to make implantable devices that have so little connectivity to not need any crypto?
There are some very valid reasons for basic communications. For example, a doctor can wave a wand over the device and get telemetry info, which is necessary in order to get it tuned to each individual, which takes time and a number of visits. If you have a remote monitor (basically a high powered wand that lives in your house) the doctor can get alerted if you go into defib or have some other episode, or gather that info over time to make better adjustments and decrease the frequency of visits. Changing settings on the device generally needs to be done 'remotely' as well, as you don't likely want a micro USB port in your armpit (or maybe you do).
The problem with most of these devices is that if you can get them to ACK, you can pretty much get them to do whatever you want and the instruction set isn't all that complicated once you've grabbed some data streaming through the air for a little bit.
You need some connectivity, so some crypto, but your point stands.
Yes. Email me.
I'd like to speak with you, but I only see a medium link.
Sorry. Mike at MedCrypt dot co
This reads more like a poorly researched rant than a proper in-depth analysis of the security.
The URL should have 'www' in it, as follows: http://www.muddywatersresearch.com/wp-content/uploads/2016/0...
Looks like the paper was removed. Can anyone confirm?
None of this is new, and yet as far as anyone knows no one has ever yet met at the intersection of hacking and murder.
And why do you think we'd know?
For the same reason that we end up hearing about virtually everything, eventually; people really stink at keeping secrets.
This is the ultimate sample bias. Organizations are perfectly capable of keeping secrets, even if they are composed of individuals evolved to communicate the truth. We don't know how much we'll never know.
If we find out about clandestine activities (by governments or by private citizens), it is often decades later. Given that the capabilities have existed and been widely discussed for some time, it doesn't seem any more speculative to assert that there have probably been assassinations as that there haven't been. Radio connections don't leave behind much evidence.
What the radio connection does to the pacemaker probably does.