Patching IoT Gets Out of Hand
In what may be the first of its kind event, the FDA recalled a pacemaker from St Jude, now owned by Abbott Labs.
Researchers discovered the flaws prior to Abbott’s acquisition of St. Jude and reported them to both the FDA and St. Jude. Both decided to do nothing about it until the researchers went public.
In April of this year, the FDA put out a “warning” – also likely a first of it’s kind – that the devices which can be controlled remotely, were likely hackable and also had a battery problem that could cause it to go dead – possibly along with the patient – before it was supposed to. At that time Abbott said that they took security seriously and had fixed all the problems (see Fox Business).
Fast forward to this week and the FDA has now issued a recall of close to a half million of the supposedly fixed devices.
Since the devices are implanted inside people, the plan is NOT to perform a half million surgeries to remove them, but rather to go to their doctor to have the firmware in the device updated.
As I recall, one of the problems WAS this update capability. The researchers were able, I think, to buy pacemaker programmers on eBay and reprogram any pacemaker from that manufacturer without authentication. All they had to do is be in radio range of it.
Obviously, being able to reprogram the pacemaker (which has to be done in a facility that can control a patient’s heart rhythm while the pacemaker is being hacked. Err, patched. Err, upgraded) is a LOT safer than a half million surgeries, but still it is not without risk.
No clue what the cost of this little adventure will be, but it won’t be cheap. Even if each doctor visit costs a hundred bucks – which is highly unlikely – that would still be a cost of $50 million. If the cost is $500, then the total would likely be in the $250 to $500 million range when you add legal fees, fines and support costs.
One other interesting feature. The researchers approached St. Jude about paying them a bug bounty, which is common in the tech world, and they decided not to. Instead, the researchers approached Muddy Waters Capital, who sold the stock short, then announced the vulnerabilities. When the stock price went down, which it did, Muddy Waters covered their short sell and made out very nicely. Muddy Waters and the researchers had a deal to do some sort of split of the profits. There were some people who that was a bit too capitalistic, but, it is not illegal. Maybe next time, they will work with the researchers when they approach them.
Information for this post came from The Guardian.