St Jude Medical Updates Cardiac Devices but Flaws Persist

St Jude Medical (SJM) has finally released security updates for its cardiac implant devices, in a move which would seem to validate claims made by controversial IoT security firm MedSec which led to a bitter legal dispute last year.
The medical device maker is suing MedSec and short seller Muddy Waters for publishing what it claimed to be false information about bugs in its equipment which helped them make money off the stock market when shares in the firm inevitably fell on the news.
互联网公司悬赏系统安全漏洞,让黑客高手们可以通过这些正当门道赚钱,名利双收。
However, on Monday St Jude released several updates to its Merlin remote monitoring system that’s used with implantable pacemakers and defibrillator devices, a few days after its acquisition by Abbot completed.
In a statement, the firm made no reference to the ongoing lawsuit or the flaws found by MedSec:

“As technology evolves, St. Jude Medical made seven software updates in three years to the [email protected] transmitter alone, and it will immediately release its latest software update to [email protected], which will begin to be implemented today. The update includes additional validation and verification between the [email protected] device and Merlin.net. St. Jude Medical has collaborated with the FDA, DHS ICS-CERT and other regulators in implementing this update. The company also plans to implement additional updates in 2017.”
In fact, the FDA published its findings on the identified vulnerabilities on Monday to coincide with the announcement.
The bugs in question could allow remote hackers to remotely deplete the battery on implanted cardiac devices or even administer shocks to the wearer.
The move by St Jude is significant in that it dismissed the findings of MedSec’s report as scaremongering when it was released last August.
山东省公安厅网安总队政委 于瑞波
"We continue to feel this lawsuit is the best course of action to make sure those looking to profit by trying to frighten patients and caregivers are held accountable for their actions,” it said in a statement a couple of months later after Muddy Waters brought in more third party experts to substantiate the claims.
Unsurprisingly, the short seller has reacted angrily to the news, issuing the following statement:
“After vehemently denying its devices suffer security vulnerabilities and then suing us, St. Jude issued a statement today that effectively vindicates the research published by MedSec and Muddy Waters. This long-overdue acknowledgement, just days after completion of St. Jude’s sale to Abbott Laboratories, reaffirms our belief that the company puts profits over patients. It also reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities. Regardless, the announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants.”
Cryptographic expert Matthew Green agreed that the fixes do not solve the underlying problem: that the vulnerabilities that exist in the implantable devices can only be fixed by updating the firmware.
In a series of tweets he explained the situation as it stands.
“So far as I can see from the FDA and SJM announcements, nobody has yet proposed a plan to update implantable device firmware! I don't even know what that would entail. Maybe bringing patients into doctor's offices. A logistical frigging nightmare,” Green claimed.
“There are 1000s of Merlin at Home boxes in patients’ homes … Compromising one box at a time is very time consuming and unlikely. But what if you could push harmful code to all of them at once. That scenario is nightmare fuel. It should be keeping SJM and the FDA up at night until they can rule it out.”
只有物理安全对资产的保护到位,信息安全保护方案才可能很好地工作。如果有人可以窃取您的设备,或未经授权地访问到您的重要区域,您其他所有的保护措施都将显得那么脆弱。

猜您喜欢

如何保证信息安全? 数据安全亟待提上日程
《旅游突发事件应急手册》以及海外差旅安全
EHS员工代表必须深刻理解的专业领域基础知识内容
欧洲寒流肆虐 至少30人死亡
SUNBELT TOTAL-PIANO-CARE
来自互联网公司的真实商业间谍案例让企业安全管理人员无法轻松