465k patients told to visit doctor to patch critical pacemaker vulnerability
-
"If there were a successful attack, an unauthorized individual (i.e., a nearby attacker) could gain access and issue commands to the implanted medical device through radio frequency (RF) transmission capability, and those unauthorized commands could modify device settings (e.g., stop pacing) or impact device functionality," Abbott representatives wrote in an open letter to doctors.
The critical firmware flaws came to light last year in an advisory that was sponsored by an investment that was betting against the stock of St. Jude, which was formally acquired by Abbott Laboratories in January. In the two days following the disclosure by investment firm Muddy Waters, St. Jude's stock price fell 12 percent. At the time, St. Jude issued a statement saying the Muddy Waters report was "false and misleading." [Emphasis added]
Fucking disgusting. I wish they would get fined out of existence for this level of incompetence.
Fucking open source bullshit
-
@bb36e said in 465k patients told to visit doctor to patch critical pacemaker vulnerability:
Fucking open source bullshit
Oh hi @blakeyrat, didn't see you there.
Where exactly does it say it's open source?
-
Ouch! That gives a whole new meaning to the term "heart attack"! :o
-
@bb36e I'm about equally disgusted by the fact that this exploit was only revealed as a stock shorting scam. What color "hat" is that?
-
The article also shows why security of those devices is not trivial:
At the moment, using passwords or similar authentication methods to ensure only authorized people can take remote control of medical devices is problematic. One complication: during medical emergencies, doctors often require immediate access to devices. If a patient is unable to reveal the credentials and hospital staff can't immediately contact the patient's doctor, the security could delay urgent treatment. One potential solution proposed by researchers is a wearable healthcare device that uses the patient's unique physiological signatures to prevent tampering by malicious hackers.
I do not think biometrics are a good solution - especially since those can change when someone is sick.
But I have heard a clever proposal:
- Wear a jammer that jams the wireless communication to the medical device, preventing external access.
- If you physically connect to the jammer, it will tell you the jamming signal, so you can subtract it and communicate.
So physical access is required to communicate with the medical device - but the medical device itself does not need cables going out of the body.
-
@adynathos said in 465k patients told to visit doctor to patch critical pacemaker vulnerability:
I do not think biometrics are a good solution - especially since those can change when someone is sick.
Depends on the biometrics used.
-
@raceprouk said in 465k patients told to visit doctor to patch critical pacemaker vulnerability:
Depends on the biometrics used.
Maybe, but I would not trust biometrics to lock my computer/file/etc, let alone a pacemaker :P
-
Life-critical systems are life-critical, experts say. Public is shocked. More at 11.
-
@adynathos Requiring physical access is definitely the way to go here. The idea should be that accessing your body devices requires being in a position to stab you. This way, your natural anti-stabbing instincts apply (i.e. staying in safe areas, but trusting doctors, etc).
How to achieve it? Biometrics can be a good idea, alternatively, surely you can do some trick requiring magnetic fields in a certain shape to "unlock" the device to allow wireless access? Worst case, run a cable to a pad right below your skin somewhere and use electrical impulses there.
-
@blakeyrat said in 465k patients told to visit doctor to patch critical pacemaker vulnerability:
@bb36e I'm about equally disgusted by the fact that this exploit was only revealed as a stock shorting scam. What color "hat" is that?
I'm inclined to disapprove of that, but it turned out that the vulnerability was in fact real. If you owned stock in them, and then discovered something like that, wouldn't you sell?
-
@anotherusername said in 465k patients told to visit doctor to patch critical pacemaker vulnerability:
If you owned stock in them, and then discovered something like that, wouldn't you sell?
Depends on whether it was insider knowledge, obvs.
But you have a point, I guess the fact that it wasn't a fake exploit makes it slightly more acceptable. Slightly. Still strikes me as sleazy as fuck.
-
@anotherusername said in 465k patients told to visit doctor to patch critical pacemaker vulnerability:
If you owned stock in them, and then discovered something like that, wouldn't you sell?
That's not actually how shorting works...
@blakeyrat said in 465k patients told to visit doctor to patch critical pacemaker vulnerability:
But you have a point, I guess the fact that it wasn't a fake exploit makes it slightly more acceptable. Slightly. Still strikes me as sleazy as fuck.
Is that more sleazy or less sleazy than a company being shown a real vulnerability that could literally kill someone, and loudly denying that the vulnerability exists and accusing the researcher who came up with it (rightly or wrongly) of just being motivated by financial gain, and (wrongly, it turns out) of slandering them about the vulnerability existing?
-
@masonwheeler said in 465k patients told to visit doctor to patch critical pacemaker vulnerability:
That's not actually how shorting works
It's how shorting scams work. Short the stocks then convince everybody to sell, reducing the price and giving you a nice profit
-
@jaloopa Meh. It's not a scam if it's a legitimate problem.
-
@masonwheeler It's still pretty unethical to discover the issue, short then reveal it (if that is what happened)
-
@jaloopa Why?
Insider trading is unethical, but he didn't have any inside knowledge; he was going off of information that had been released to the public, as contained in the pacemaker that had been released to the public.
-
@masonwheeler said in 465k patients told to visit doctor to patch critical pacemaker vulnerability:
That's not actually how shorting works...
TIL. Yeah, it's kind of sleazy of them to profit off their knowledge that the stock price would tank. It might've actually been illegal, if that information hadn't been released publicly yet. (Or had it?)
-
@anotherusername The pacemaker had been released publicly. The relevant information was inside, just waiting to be discovered. This means that when it gets discovered, by definition someone has to be the first one to discover it. It could have been any researcher; it happened to be this guy. But it was still publicly available for whoever managed to look in the right place to find.
-
@masonwheeler Saying "It's OK because anyone could have found it" is about as good as a legal defence as dry ice is at insulating a nuclear reactor.
-
@masonwheeler if you got the information by reverse engineering the device yourself, then sure, that argument might work. If somebody else reverse engineered the device and conveyed information about it to you before they released that information publicly, how is that not illegal insider trading?
-
@anotherusername said in 465k patients told to visit doctor to patch critical pacemaker vulnerability:
how is that not illegal insider trading?
There is nothing stopping the public from independently discovering this vulnerability and selling their stock -- if the vulnerability was discovered using 'black box' methods that required no information from the supplier, then there is no material, nonpublic information about the security. Why does it matter whether or not the person selling discovered the vuln on their own or paid someone else to find it?
-
@anotherusername Because insider information comes from inside the company.
It means it's illegal to, for example, buy a lot of stock because your buddy who works there tells you they're about to release a secret project that's going to dominate the industry. (Or sell a lot because he confides that the major new release is actually total crap with virtually no QA.)
If the information is available to the public, and the public just isn't paying attention, that's a completely different thing.
-
@bb36e said in 465k patients told to visit doctor to patch critical pacemaker vulnerability:
There is nothing stopping the public from independently discovering this vulnerability and selling their stock
The public didn't discover it, though. So obviously the information wasn't public.
@bb36e said in 465k patients told to visit doctor to patch critical pacemaker vulnerability:
if the vulnerability was discovered using 'black box' methods that required no information from the supplier, then there is no material, nonpublic information about the security
The page you linked to does not clarify whether "material, nonpublic information" includes information that someone discovered using "black box" methods.
@bb36e said in 465k patients told to visit doctor to patch critical pacemaker vulnerability:
Why does it matter whether or not the person selling discovered the vuln on their own or paid someone else to find it?
Because if you found it all by yourself, then you can argue that you made the decision to short the stock using only publicly-available resources. If someone else found it and told you, they gave you information that other people didn't have, and which you wouldn't have had either without that third party disclosing it to you in secret.
@masonwheeler said in 465k patients told to visit doctor to patch critical pacemaker vulnerability:
insider information comes from inside the company.
False. It does not have to come from inside the company. Insider information is any "material, nonpublic information" about the security that you're trading. "Material" means that it would influence its stock value. "Nonpublic" means that it has not been released to the public. Making trades based on information which you have, which would be of significant importance to other investors if they knew it, is insider trading.
Analytically, the obligation [not to engage in insider trading] rests on two principal elements: first, the existence of a relationship giving access, directly or indirectly, to information intended to be available only for a corporate purpose and not for the personal benefit of anyone, and second, the inherent unfairness involved where a party takes advantage of such information knowing it is unavailable to those with whom he is dealing.
... those who would come to be known as "temporary" or "constructive" insiders, who possess material nonpublic information, must disclose it before trading or abstain from trading until the information is publicly disseminated.
One good example of where information might come from outside the company is if you know that the company you work for is about to sue them. Or, I'd argue, about to disclose a critical security flaw in one of their products.
-
@anotherusername Your own quoted snippet says the opposite: it requires two principle elements. The one you bolded, and "the existence of a relationship giving access, directly or indirectly, to information intended to be available only for a corporate purpose and not for the personal benefit of anyone." Without an "inside man" with access to corporate information, this does not exist.
-
@masonwheeler by that reasoning, though, telling someone "hey, I'm about to sue $company; you should short their stock and give me a cut" and then carrying out that plan wouldn't be illegal; the relationship between you gave him access to information specifically intended to be used for the personal benefit of both of you. But I'm pretty sure that would still be considered insider trading, because it's not publicly known information.
-
@anotherusername said in 465k patients told to visit doctor to patch critical pacemaker vulnerability:
Here's another quotation -- this, the actual law that applies to insider trading:
It shall be unlawful for any person, directly or indirectly . . .,
(a) to employ any device, scheme, or artifice to defraud,
(b) to make any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which they were made, not misleading, or
(c) to engage in any act, practice, or course of business which operates or would operate as a fraud or deceit upon any person, in connection with the purchase or sale of a security.
Selling something at a price which you know is more than it's worth, while purposefully withholding information that the buyer doesn't have, information which you know would devalue it in their eyes... without first disclosing that information... is fraud. Fraud in connection with the sale or purchase of any security is, under that rule, explicitly unlawful.
-
@masonwheeler said in 465k patients told to visit doctor to patch critical pacemaker vulnerability:
Why?
I'm not Mr. Security Man, but isn't the "white hat" industry standard to give between 7 and 30 days of confidential disclosure of the issue to the company before reporting it to the public? And if the company responsibly handles the exploit, to leave reporting of it as their responsibility and not do it yourself?
-
@masonwheeler said in 465k patients told to visit doctor to patch critical pacemaker vulnerability:
Because insider information comes from inside the company.
That's not true. (Well, it's true in part, but it's not only information from inside the company.) You should probably read a summary of how insider trading works if you buy/sell stocks, you might get yourself in a heap of trouble.
-
@anotherusername said in 465k patients told to visit doctor to patch critical pacemaker vulnerability:
Selling something at a price which you know is more than it's worth, while purposefully withholding information that the buyer doesn't have, information which you know would devalue it in their eyes... without first disclosing that information... is fraud.
Aha. This seems reasonable. I stand corrected!
-
On the (new) topic of insider trading, here's a scenario:
A person with access to non-public knowledge about upcoming legal changes (as in new regulations or new laws) that will materially affect a stock price makes stock trades based on this information.
Which of the following is true?
a) the person is guilty of insider trading
b) the person is not guilty of insider trading
c)FILE_NOT_FOUNDthe person is guilty unless that person is a US Senator or Representative (or a staffer thereof), in which case the law explicitly does not cover their behavior so they're ok.Yup--the answer is c. Politicians. Aren't they wonderful?
-
For those interested in the nuances of insider trading, I highly recommend Matt Levine's writing. He seems to touch on it in almost everything he writes, and basically as the only law (as stated above) is a generic rule against "fraud" (which can be tricky to define in and of itself), there's a lot of case law that isn't all consistent.
In general, it's not illegal to trade based on knowledge of one's own future action. That is, if $PopularHedgeFund is about to buy a bunch of stock, that may end up being Material Information, since the very fact that $PopularHedgeFund thinks the company is a good buy is likely in and of itself to increase the price. But they're still allowed to buy it, even knowing that them buying it will increase the price, as there's nothing "insider" about it.
The whole idea behind the free market of stock investing (for better or worse) is that investors would do research to find out which companies are good investments or not, and buy or sell them accordingly (including short selling). Otherwise, there would never be any input to the system to try to mark companies to the "right" price. So, if one finds information out that a company is doing a poor job of something, selling their stock (including short selling) is the capitalist way of communicating that information to help the market set the price of the company "correctly". The process rewards investors who discover information about a company (by letting them profit off of the information being distributed), and thus companies have a close-to-optimal distribution of capital among them. And so without it, there might not be an incentive (or at least not the funding) for people to (for example) research and disclose life-threatening security vulnerabilities.
That's the argument in favor of allowing this kind of thing. Obviously not every aspect of capitalism is ideal, but it does have some benefits.