Independent Research Firm Confirms St. Jude Security Vulnerabilities
In August, MedSec partnered with Muddy Waters to release the results of security research into the St. Jude Medical product suite, revealing significant vulnerabilities. Less than two weeks later, St. Jude filed a lawsuit against myself, MedSec, and others. The lawsuit accused us of defaming St. Jude by falsely criticizing the security of its medical devices.
It turns out that St. Jude, not MedSec, is the one making false claims about the security of its devices. The defendants have now filed an answer to St. Jude’s complaint, including a report by security consulting firm Bishop Fox. The Bishop Fox report, which was written after an on-site visit to MedSec by Bishop Fox and third-party cybersecurity experts, supports MedSec’s research and concludes that St. Jude’s devices are “susceptible to serious security vulnerabilities.” You can view a copy of the Bishop Fox report here.
When MedSec discovered the vulnerabilities, we carefully considered but rejected the traditional approach to disclosure—confronting St. Jude. We believed (and still believe) St. Jude’s track history in responding to reported problems is poor. In fact, St. Jude just recently announced a potentially lethal design defect that may affect up to 350,000 of its users – two years after learning of it, apparently. In my opinion, patients deserve to understand the risks associated with the technologies upon which their health is dependent.
St. Jude is not the first vendor to react badly to security researchers who find flaws in its products, and it won’t be the last. Other companies have filed lawsuits under the Digital Millennium Copyright Act or the Computer Fraud and Abuse Act to hush unwelcome security research, though St. Jude’s seems to be the first to sue researchers like us for defamation.
When it came to our research, we concluded that a partnership with Muddy Waters was the fastest route to improved product security, improving patient safety and a better understanding of the risks faced by patients.
Traditional responsible disclosure is a two-way conversation that does not engage the customer. In disclosure debates, this point is often overlooked. A vendor that refuses to engage responsibly also poses a problem for independent security researchers. If the researcher publishes everything about the vendor’s security flaws, right down to the attack code it used, then the vendor’s customers will be immediately at risk. But if the researchers are intimidated into silence, the customers are still at risk. Others can find the same holes as the first researchers, but the customers will not know it, and the vendor may feel no pressure to plug the holes.
Different researchers follow different approaches when faced with this dilemma. Some believe in full immediate disclosure; others believe in trying to work with the vendor. Google, which does lots of independent security research, summarized the tension this way:
We’ve seen an increase in vendors invoking the principles of “responsible” disclosure to delay fixing vulnerabilities indefinitely, sometimes for years; in that timeframe, these flaws are often rediscovered and used by rogue parties using the same tools and methodologies used by ethical researchers. The important implication of referring to this process as "responsible" is that researchers who do not comply are seen as behaving improperly. However, the inverse situation is often true: it can be irresponsible to permit a flaw to remain live for such an extended period of time.
Google resolved the tension by saying its researchers should in the first instance disclose bugs confidentially to vendors but if the bug was not fixed in 60 days it was reasonable to release the research publicly.
Faced with a particularly aggressive and hostile vendor, MedSec has nonetheless tried to walk a similar line. While some folks seem to believe that Muddy Waters disclosed full information in its August report, this is incorrect. MedSec and Muddy Waters worked closely to limit the public disclosure of detailed underlying vulnerability information. Broadly, we identified publicly what our researchers had achieved but not how they did it.
At the same time the Muddy Waters report was published we privately shared details with the FDA and DHS. We invited both organizations into our labs and also offered to visit theirs. MedSec also invited these details be shared with St Jude via the government agencies, and we extended an offer of direct assistance to St. Jude. We still today have heard nothing back from St. Jude outside of public and legal accusations. We still have not disclosed all those details publicly, even though two months have elapsed, thousands of vulnerable devices have likely been installed, and St. Jude has yet to announce any fixes for the security problems we identified.
We continue to try to walk that line, though St. Jude’s lawsuit makes that far more difficult. St. Jude is claiming that we did not have a reasonable basis for the statements we made about its security. The best way to defend ourselves is to disclose every bit of evidence we have about St. Jude’s security flaws. Thus far, however, we have not done so, and we have asked that the expert report prepared for Bishop Fox also withhold critical details about the attacks we have successfully demonstrated on St. Jude devices.
If anything demonstrates just how bad an idea it is for vendors to attack security researchers, surely this is it. St. Jude’s denial of the cybersecurity errors has effectively shifted the focus away from remediation efforts. It is unfortunate that St. Jude puts its energy into fighting us, rather than understanding and addressing the security problems in its product suite.Justine Bone CEO MedSec