Researchers at the University of Michigan (U-M) have poured doubt on one claim by MedSec that St Jude Medical's implanted pacemakers and defibrillators are remotely breakable.
Last week MedSec went public with a report saying that life-giving devices sold by St Jude Medical could be wirelessly compromised by hackers – who could either brick the vital equipment or empty their batteries of charge by sending malicious signals from afar.
Rather than try to get the issue fixed with the manufacturer, MedSec partnered with investment firm Muddy Waters Capital to short St Jude's stock. This allowed the pair to cash in when they made their vulnerability findings public and the healthcare company's share price fell.
St Jude called the damning MedSec dossier "false and misleading."
Now U-M says some of the security shortcomings detailed in the MedSec report aren't as serious as first feared. The uni researchers attempted to recreate MedSec's attacks and found that in one case so far, the evidence the security firm presented is flawed.
"We're not saying the report is false. We're saying it's inconclusive because the evidence does not support their conclusions. We were able to generate the reported conditions without there being a security issue," said Kevin Fu, U-M associate professor of computer science and engineering and director of the Archimedes Center for Medical Device Security.
"To the armchair engineer it may look startling, but to a clinician it just means you didn't plug it in. In layman's terms, it's like claiming that hackers took over your computer, but then later discovering that you simply forgot to plug in your keyboard."
MedSec's report includes a photo of error messages on a wireless monitoring station for a defibrillator as evidence that a radio-based attack successfully crashed the implanted widget. When the station's wand is waved over the defibrillator, fault alerts are shown that suggest the gadget has died because there's no live information coming from it. The dossier reads:
In many cases, the Crash Attack made the Cardiac Device completely unresponsive to interrogations from Merlin@home devices and Merlin programmers. It was therefore impossible to tell whether, and how the Cardiac Devices, are functioning. MedSec strongly suspects they were in many cases “bricked” – i.e., made to be non-functional. It is likely physicians would explant a device that did not respond to the programmer.
In some cases, a Cardiac Device subjected to a Crash Attack was still able to communicate with the programmer, and the information displayed was alarming.
According to U-M's team, though, the implanted pacemaker or defibrillators can and will continue operating as normal even if readings to the monitoring station are disrupted.
In other words, there's no conclusive evidence that the pacemaker or defibrillator actually stopped working after the radio communications were jammed. It's more of an annoyance for whoever is using the monitoring terminal than a potentially lethal situation.
"We believe the pacemaker is acting correctly," Fu said.
"It's obviously not an attempt to recreate the attack," a Muddy Waters spokesperson told The Register. MedSec declined to comment on the matter.
In El Reg's view, if the communications are temporarily disrupted it's hard to see how this is a super serious issue. On the other hand, if the radio jamming stops all further communication from the implant to a monitoring terminal, that's going to potentially require surgery to fix, which is not optimal. However, bear in mind, there is no hard evidence that a device is "bricked" – merely MedSec's strong hunch that this has happened.
That's what all of last week's screaming headlines were based on.
"While medical device manufacturers must improve the security of their products, claiming the sky is falling is counterproductive," Fu noted. "Healthcare cybersecurity is about safety and risk management, and patients who are prescribed a medical device are far safer with the device than without it."
The U-M researchers are still going through the MedSec report, so there's room for more discoveries or revisions to their conclusions. In the meantime, the whole case has raised concerns among many in the computer security industry that the startup's unorthodox tactics may have needlessly terrified patients using St Jude's products.
"It's my personal view that ethically it's really hard to understand why people would have to go through this," Sam Rehman, CTO of application security vendor Arxan Technologies, told The Reg. "The whole point of the security industry is to build trust by protecting systems." ®