St. Jude Heart Devices Vulnerable to Hacks
bloomberg.comMatt Levine wrote about this today [ https://www.bloomberg.com/view/articles/2016-08-26/herbalife... ]:
"One thing I wonder about is: Even if Block is right, why would you hack someone's pacemaker? It is just so ... mean. And complicated. Like, if you wanted to murder someone with a pacemaker, it seems like it would be easier to walk up to him and shoot him with a gun than to buy the hardware and develop the expertise to hack his pacemaker, get within hacking range, and then do it. Pacemaker-hacking does not seem like an optimal method if your goal is just regular murder. (Not legal advice!)
"I guess one reason to hack a pacemaker is financial: You could short a ton of St. Jude's stock, hack some of its pacemakers, kill some people and wait for the stock to crash. (This is again not legal advice, though it is a free plot for a financial thriller if anyone's working on one.) But if you are a hacker looking to make money by shorting St. Jude's stock, and you have figured out how to hack its pacemakers, actually going and murdering a bunch of people seems mean and unnecessary and really extremely illegal. You should just short the stock and then tell people that you can hack the pacemakers."
Seeking to profit by short-selling a company's stock before revealing that their products have security vulnerabilities feels like a very grey ethical area to me.
I'm mildly surprised it doesn't fall under insider trading.
It's very interesting, and a complex moral issue.
On the one hand, responsible disclosure, and immediate patching would be the ideal way forwards.
However, with a company that has a history of neglecting security, and with such severe possible consequences, speaking the language only language that businesses understand is sometimes the only way to make them pay attention.
Had they gone the "responsible" route with a CERT disclosure, the vulnerability would have been published 45 days later, and would presumably be exploitable (as St Jude doesn't seem to prioritise fixes).
As it is, we get a brief media shitstorm, and hopefully companies paying more attention to product security as a result.
What I'd love to see is responsible disclosure with teeth. Someone like the FDA imposing severe penalties for failure to patch security flaws, and rewarding responsible hackers who find vulnerabilities. This means we avoid the nasty area of effective blackmail, whilst hopefully making it likely the 'good' guys find the vulnerabilities first.