St. Jude heart implant devices can be hacked, security researchers say


#1

Originally published at: http://boingboing.net/2016/10/24/st-jude-heart-implant-devices.html


#2

that might be extended to 45 feet (13.7 meters) with an antenna, or 100
feet (30.5 meters) with a transmitting device known as a software
defined radio.

Why would the use of an SDR in particular matter? So long as you’re transmitting the data on the right frequency, modulation, and all, shouldn’t distance be determined by broadcasting power, not the type of radio used?

ETA: Where’d that 45-feet business come from? The Reuters link says:

the range might be extended to as far as 100
feet (30 meters) with an antenna and a specialized device known as a
software defined radio.


#3

If I had to guess I’d say the original authors described a full scenario including example hardware and “SDR” was one of the words the journalist remembered.


#4

Move over tin foil hats - tin foil vests are where it’s at.


#5

The insecurity seems ironic, considering that St. Jude was a cypherpunk.


#6

♬_St. Jude, don’t kill those lads_
Take some bad code and make it better
Remember to let infosec into your heart
_Then you can start to make it better_♬


#7

Aside from the oh-so-cyberpunk issue of hackable implants; this case is notable because of the…unorthodox…(and to the best of my knowledge not previously used, at least in public) nature of the vulnerability disclosure.

Muddy Waters took a short position on St. Jude’s stock; and then reported that their devices were vulnerable to potentially lethal wireless hacks. This, unsurprisingly, gave the stock a bit of a shock; which is exactly what a short seller would want.

St. Jude filed suit, accusing Muddy Waters of market manipulation through security FUD. That is why this latest report was commissioned and released, as Muddy Waters is (while in no way denying that they were looking to drive down St. Jude’s stock price) arguing that they are in the clear because they released information that was entirely true and derived from legal security analysis(rather than theft of trade secrets or the like).

It wouldn’t entirely surprise me if this isn’t the last time we see this particular approach to ‘DIY bug bounty’ crop up.

Assuming Muddy Waters can, in fact, back their claims; they haven’t done anything illicit; and they did get the stock movement they wanted.


#8

I suspect your ‘journalist selective memory’ thesis is largely correct; though it is possible that ‘SDR’ stuck out in the journalist’s memory because somebody tried the (idiotic; but far too common with proprietary RF stuff) “Hey, only we make ProprietaryRF™ equipment; and none of it has a range of more than X meters, so how could you hack it at a greater distance?” argument.

There is, indeed, nothing special about SDR in terms of signal strength, range, etc; but the fact that it allows someone with a software background and inexpensive hardware to implement all sorts of ‘secure’-by-obscurity radio gear has led to a bit of a shake-up. Maybe the professional paranoids over in SIGINT never made this assumption; but commercial vendors liked to pretend that, so long as you couldn’t easily obtain a suitable radio and connect it to a computer, everything was fine. And, against security researchers who were basically software people, this was often true except when the magic of ebay allowed them to get their hands on the appropriate obscure hardware(eg. DECT, despite being known mostly as a barely-standardized interconnect for wireless telephones; was available as a wifi competitor in PCMICA card form. Not popular, never caught on, few units in the wild; but enough that security types with no real hardware background were able to use them to go poking at cordless phones, with predictably…excellent…results).

With SDR cheap and widely available; it is now much more plausible for both a security researcher or an attacker to implement an RF link for which hardware is unavailable.


#9

This topic was automatically closed after 5 days. New replies are no longer allowed.