Call up CNN and offer to demonstrate how BIOTRONIC is so evil that they refuse to fix their pacemakers. Hook it up to an ECG and use your phone to make it flatline. Then turn to the camera and tell the audience, "because BIOTRONIC doesn't want to pay to fix their product, I can now kill your grandmother just by walking past her on the street."
Watch how long it takes them to fix it then, and watch how reactive they become to responsible disclosure next time.
Also, short their stock before you go on TV. A little something for your troubles.
First, you have no idea what the manufacturer needs to do to fix the problem, alert customers, do recalls and recertifications, and the like.
Second, you put yourself directly in the line of fire unnecessarily and for all the wrong reasons. You could find yourself on the end of all kinds of legal trouble, and on top of that you would be morally culpable for any harm.
Do it the right way: get a lawyer. The lawyer will know how to contact the vendors, the regulatory agencies, media if necessary, and customers if necessary.
I'd imagine the correct thing to do is use the FDA's "MedWatch Online Voluntary Reporting Form".
Use the MedWatch form to report adverse events that you observe or suspect for human medical products, including serious drug side effects, product use errors, product quality problems, and therapeutic failures for:... Medical devices (including in vitro diagnostic products)
That strikes me as really optimistic. Another scenario:
Medical equipment manufacturing lobby (I'm assuming there is such a thing) pushes to have such disclosures treated as acts of terrorism. Manufacturer issues a patch that fixes your very specific vulnerability in some trivial, meaningless way. Your career is ruined. Pacemakers truly secured: 0.
If you attempt a stunt like this, please first consider the people who have these pacemakers in their bodies. Put yourself in their shoes as they're watching the news broadcast or getting a frantic call from a family member.
Let's say one of them panics out of fear, has a heart attack, and dies. The family reports this to the media. Now the news media is hunting you down. The authorities want to have a word with you, and you're the target of several lawsuits. Not to mention, you just killed someone with your flippant remarks. Technically speaking, the device manufacturer hasn't hurt anyone at this point. But you've contributed to the death of a person. Is that really what you're after?
Contacting a lawyer to understand the protocol for disclosure and the ramifications won't cost you anything for the initial consultation. Contact the EFF or ACLU and ask for advice. Ask them who you should contact next.
Now THAT is how you do it. Grab a "shock of the week" angle and play it for anyone that wants to watch. Only issue is getting a "non-defective" pacemaker. Those things aren't cheap or easy to come by without ordering it from the manufacturer. Whatever profit you could have shorting the stock you'd lose almost immediately by having to purchase the devise.
Everything except shorting their stock. If you wrote a hard-hitting exposé or a John Stossel-type broadcast you aren't likely to be branded a terrorist. Make sure you don't reveal how it's actually done, but the fact that it can be.
In short - media showing the potential results (and dramatizing them) puts heat on the company to fix it.
No need to involve the media. Call the police, and make an anonymous death threat towards a well-known person with a pacemaker. They will have to investigate. Then send them your POC anonymously.
I'd suggest contacting Andrea Peterson at the Washington Post, and letting her know you have a follow up story for her piece on how Dick Cheneys had the wireless on his pacemaker disabled[1].
But first have some skepticism. You can't interface with a PM without direct contact with a patient. Pacemakers are not bluetooth enabled wifi connected internet appliances. Yes, they are programmed remotely, but in this case remote means a reader device that must be physically placed on a person directly over the pacemaker. While there are things to be legitmately concerned about, this article is a wild fantasy.
That will land him in prison. Have you learned nothing?! Think AT&T - and that's just frigging phone info. For this, they'll tar him a terrorist and throw him in a hole to die.
I understand that this isn't the purview of yellow journalism, but to be accurate, the statement should be: "I can now kill your grandmother just by walking past her on the street, and asking her to stand still while I hold an induction wand quite close to her pacemaker"
This is the most important problem that the internet of things faces. How can we network everything while maintaining at least some scrap of security, especially in the long term? How can we convince people that their toaster is worth patching, and, more importantly, how to we convince vendors that toasters are worth releasing patches for? What if appliance makers go bankrupt and your dishwasher no longer receives patches? How will devices be updated if another Heartbleed-esque situation occurs? It's easier for a user to protect themselves from a 0-day in an app they use, for example, compared to vital home appliances such as dishwashers, refrigerators or washing machines, which cannot merely be uninstalled.
This is a very real threat, most notably Belkin [0] has suffered critical security breaches, and this issue won't be going away any time soon. How can security researchers get CVE's patched, and how can we prevent them from occuring in the first place? This should be priority #1 for any company trying to bring internet-connected appliances to the mainstream.
If you truly have a pacemaker 0day, contact me (joelparkerhenderson) on most major service and I will connect you with my healthcare policy lawyer. She can rapidly open the doors to the vendors who have the risk.
Do most medical device manufacturers carry insurance against lawsuits? If so, historically, how high has the bar been before the insurers pay out? If there is a strong relationship between a device manufacturer getting sued and an insurer losing money then this could be a great contact to try.
1.) Responsible disclosure to vendor. Allow reasonable amount of time for a fix to be created and deployed.
2.) (If fix is deployed, release details)
3.) If no fix is deployed in a reasonable amount of time and the vendor is unresponsive, release a PoC that demonstrates exploitability without giving away details. eg: "Here is a pacemaker. Look, I did magic and it stopped!" This is the same idea as releasing the actual vulnerability/exploit, but doesn't put lives at risk. People that could fuzz for any type of a vulnerability would be able to find it on their own anyway.
I agree that ICS and health-sensitive vulnerability disclosure is a trickier field than most. Medical devices, cars, and power plants are much more sensitive than a random kid's iPhone; that's why groups like I Am The Cavalry are trying to address the issue industry-wide.
However, to answer the original question: don't drop a pacemaker 0day at DEF CON. Find a way to fix the problem with the vendor instead. At the very "worst," demo without vulnerability or exploit details.
What does 'fix deployed' mean? How do you actually update pacemaker software? Are you going to wait for 100% of the deployed pacemakers are fixed? What is an acceptable fix rate before you release the exploit?
This sort of 0-day has been known in the academic literature for some time[1].
Disclosure of critical vulnerabilities in implantable devices is far more fraught than your normal critical software 0-day. These devices require surgery for replacement, and a small number of those surgeries will have possibly fatal complications. The cost of immediately replacing all existing vulnerable devices could literally be measured in lives. (And that's even assuming that the device manufacturer fixed the problem!)
Implantable software is already a very tricky area, and there's no signs that it'll get any easier.
It's not quite "this could kill people" but rather "this could be used to kill someone." But there are a lot of things that one person could use against another person to kill them, ethically, what does adding this thing to the list change?
If you discovered / disclosed a particular way the unit could malfunction and kill someone it seems like that's put in a different class; in that case you're a hero saving lives. But if you report on a technique someone could use to cause the device to malfunction, it's treated completely differently.
I think a related and important message is that pacemaker "malfunctions" should be treated as possibly suspicious.
This is a way to kill someone at a distance, with no obvious trace leading to you, and using nothing but an off the shelf laptop or phone. It's significantly more dangerous than any of the other known methods of murder because of the reduced risk to the murderer.
How about releasing the vulnerability in stages? The author jumps from unresponsive vendor to releasing exploit code. What if you add steps between the two?
For example:
- Announcing a vulnerability has been found and identifying the unresponsive vendor.
- Announcing what the disclosure timeline will be.
- Detailing the product lines known to be affected by the vulnerability.
- Publishing communication with the vendor so far with any details about the vulnerability redacted.
- Private disclosure to professionals (doctors & journalists) to have them independently verify that the vulnerability exists and help with raising awareness.
- Full details about the vulnerability, but no exploit code.
This just sounds like responsible disclosure to me. With added steps because the "responsible" part requires you act differently due to the possible risk involved. This is likely the best way to go, and I'd expect to see some legal advice back it up were it to actually happen such an exploit existed.
What pacemaker communicates via blue tooth? Last I checked they all used induction telemetry (which requires the telemetry wand to be within several inches of the device) or MICS band radio for distance telemetry. I think some Boston Scientific devices used 900MHz at one time, but how many of those are still in the wild?
The only instances of "hacking" a pacemaker (or ICD) have been when researchers used a programmer from the manufacturer to "hack" the device.
So it seems super unlikely you know a blue tooth zero day for a pacer.
What do you expect them to do? Even assuming they were 100% concerned with security and did everything right and there was still a bug that allowed a pacemaker to be compromised. Do you expect them to cut open a person and replace the buggy pacemaker?
I don't pretend to be an expert in this area but getting medical equipment approved is a huge undertaking and I don't know what the ramifications of changing anything would be. Say they take your 0day and fix it. Then they have to go through the entire re-certification process again and after however many months or years, NEW patients get the fixed pacemaker. But what about all the old patients?
While I sympathize, the only realistic approach here is to make the consequences for killing someone via a 0day for the "lulz" so drastic that it would certainly legally bleed over into the disclosure. I realize this is the approach we do tend to take here in the US.
Someone made a comment above stating that people with pacemakers typically have to go in once or twice a year to get it checked, and the devices can be updated using 'inductive or rf telemetry'. Presumably doctors could update the devices when patients come in.
In the case of medical devices, this is squarely in the FDA's wheelhouse in the USA. The FDA likely lacks the people with appropriate expertise to evaluate these kinds of safety issues because their traditional focus has been on the more typical kinds of medical device risk. A concerted effort at dialog with them could turn that around. Particularly if it were done through a series of academic workshops with key people.
Make a YouTube video of the hack actually working on a pacemaker (preferably one that is not in a person). Show how it can be executed from a smart phone while walking down the street or sitting at Starbucks.
Send that to the company and the media. You are best off also showing documentation that you told the offending company multiple times.
"The problem is that dropping a pacemaker 0day is so horrific that most people would readily agree it should be outlawed. But, at the same time, without the threat of 0day, vendors will ignore the problem."
If this is the case, then wouldn't the same most-people (if made aware of the issue) also agree that it should be illegal for a company's management to ignore life-threatening software flaws in their products after being notified?
I mean illegal as in reckless endangerment or manslaughter, not illegal as in lawsuits and golden parachutes.
And so it begins. I was wondering when we'd finally start seeing the InfoSec guys get to this. The more recent stuff branching into CAN on cars and before that SCADA systems seemed to be the last sort of stepping stone from a traditional PC network to the internet of things networks.
I'm sort of glad, in a twisted way, that this has finally happened. Better the light get cast on this now than in a few years once the criminal(/nation-state...) equivalents have had time to go through it themselves.
I remember reading that Cheney had them remove all wireless functionality from his pacemaker because they were afraid of the potential of someone using it for assassination.[1]
I think that there are a lot of ways to approach this. The Heartbleed disclosure was very well done and has a lot of lessons, perhaps there's something to learn from that.
Personally, I think it's completely unacceptable the way many technologies critical to keeping people alive are so vulnerable. Especially if the vulnerabilities are as widespread as the article suggests (30%!), find a list of 10-20 that vary in importance. List all the products, and list the consequences of each vulnerability.
Then start dropping 0-days one at a time until the industry realizes you are serious. Start with the less severe ones, but if the pacemaker vulnerability hasn't been addressed after a few months of weekly vulnerability releases, don't hold back. The more publicity you can get the more likely a company is to patch vulnerabilities.
If _teenagers_ are capable finding vulnerabilities that can end lives using a script they downloaded online, then we need to be ready to take drastic action. The industry is in a terrible state and we aren't safe, and decreasingly so as these gaping holes continue to sit there and be discovered.
This is an incredibly sensational piece. All of the sane suggestions are dismissed as "doesn't work" by giving one example where it didn't work. It's not that easy - going to the media won't solve the problem 100% of the time but it sure as hell would if it were a life and death 0day and wasn't fixed with urgency.
Don't even get me started about the Nazi analogy...
If it’s an obvious vulnerability, is there value in withholding the details? There is a strong case to be made for the argument that the people who would be willing to use such a 0day maliciously (sociopaths) would find it anyway.
It could potentially also depend on how easily the vulnerability can be patched—one that can be patched remotely can be dealt with much more rapidly than one that will require surgery to replace the device.
If one assumes that full disclosure will lead to the fixing of the issue, the first class is probably closer to being judged “responsible” than the second.
It is certainly a difficult dilemma. The correct answer can only be known with the benefit of hindsight…
When there is a flaw in a car seat or child's toy everyone flips shit and recalls start happening. It's covered on the local news and all that. Why doesn't that happen for pace makers? Isn't this a problem for the Consumer Product Safety Commission or the FDA?
It's a product that has a flaw. Seems like it qualifies for a public recall.
I don't understand why there is such a debate here. I would absolutely disclose the 0-day if the manufacturer was unresponsive (given sufficient warning, of course). Moreover, if anyone died, I wouldn't feel the least bit guilty about that - the guilt rests firmly on the manufacturer and the individuals who choose to use the exploit.
After all, black-market exploits will come, and people will die, whether you disclose the vulnerability or not. At least with disclosure, the innocent have a chance to protect themselves.
You must weigh the lives lost to silence against the lives lost to disclosure. We practice disclosure in all other areas of computer security because we have seen the cost of silence too many times. There is no reason it should be different here.
[+] [-] redthrowaway|11 years ago|reply
Watch how long it takes them to fix it then, and watch how reactive they become to responsible disclosure next time.
Also, short their stock before you go on TV. A little something for your troubles.
[+] [-] jph|11 years ago|reply
First, you have no idea what the manufacturer needs to do to fix the problem, alert customers, do recalls and recertifications, and the like.
Second, you put yourself directly in the line of fire unnecessarily and for all the wrong reasons. You could find yourself on the end of all kinds of legal trouble, and on top of that you would be morally culpable for any harm.
Do it the right way: get a lawyer. The lawyer will know how to contact the vendors, the regulatory agencies, media if necessary, and customers if necessary.
[+] [-] nl|11 years ago|reply
Use the MedWatch form to report adverse events that you observe or suspect for human medical products, including serious drug side effects, product use errors, product quality problems, and therapeutic failures for:... Medical devices (including in vitro diagnostic products)
[1] https://www.accessdata.fda.gov/scripts/medwatch/
[+] [-] Lagged2Death|11 years ago|reply
That strikes me as really optimistic. Another scenario:
Medical equipment manufacturing lobby (I'm assuming there is such a thing) pushes to have such disclosures treated as acts of terrorism. Manufacturer issues a patch that fixes your very specific vulnerability in some trivial, meaningless way. Your career is ruined. Pacemakers truly secured: 0.
[+] [-] harrylove|11 years ago|reply
Let's say one of them panics out of fear, has a heart attack, and dies. The family reports this to the media. Now the news media is hunting you down. The authorities want to have a word with you, and you're the target of several lawsuits. Not to mention, you just killed someone with your flippant remarks. Technically speaking, the device manufacturer hasn't hurt anyone at this point. But you've contributed to the death of a person. Is that really what you're after?
Contacting a lawyer to understand the protocol for disclosure and the ramifications won't cost you anything for the initial consultation. Contact the EFF or ACLU and ask for advice. Ask them who you should contact next.
[+] [-] wheaties|11 years ago|reply
[+] [-] shard972|11 years ago|reply
We should probably check first to see if BIOTRONIC is one of their advertisers first, might be an issue.
[+] [-] psychometry|11 years ago|reply
[+] [-] qbrass|11 years ago|reply
BIOTRONIC releasing the patch they should have released anyway, just to stop your evil scheme of murdering the elderly, turns into a PR win for them.
[+] [-] EGreg|11 years ago|reply
In short - media showing the potential results (and dramatizing them) puts heat on the company to fix it.
[+] [-] bryanh|11 years ago|reply
[+] [-] sturmeh|11 years ago|reply
[+] [-] captainmuon|11 years ago|reply
[+] [-] nl|11 years ago|reply
[1] http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/21...
[+] [-] blafunke|11 years ago|reply
[+] [-] aquadrop|11 years ago|reply
[+] [-] droope|11 years ago|reply
[+] [-] madaxe_again|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] frozenport|11 years ago|reply
[+] [-] vacri|11 years ago|reply
[+] [-] firloop|11 years ago|reply
This is a very real threat, most notably Belkin [0] has suffered critical security breaches, and this issue won't be going away any time soon. How can security researchers get CVE's patched, and how can we prevent them from occuring in the first place? This should be priority #1 for any company trying to bring internet-connected appliances to the mainstream.
[0]: http://arstechnica.com/security/2014/02/password-leak-in-wem...
[+] [-] jph|11 years ago|reply
If you truly have a pacemaker 0day, contact me (joelparkerhenderson) on most major service and I will connect you with my healthcare policy lawyer. She can rapidly open the doors to the vendors who have the risk.
[+] [-] iandanforth|11 years ago|reply
[+] [-] drcode|11 years ago|reply
(Though even if you were sure fewer people would die it would still be an ethical conundrum)
[+] [-] david_shaw|11 years ago|reply
1.) Responsible disclosure to vendor. Allow reasonable amount of time for a fix to be created and deployed.
2.) (If fix is deployed, release details)
3.) If no fix is deployed in a reasonable amount of time and the vendor is unresponsive, release a PoC that demonstrates exploitability without giving away details. eg: "Here is a pacemaker. Look, I did magic and it stopped!" This is the same idea as releasing the actual vulnerability/exploit, but doesn't put lives at risk. People that could fuzz for any type of a vulnerability would be able to find it on their own anyway.
I agree that ICS and health-sensitive vulnerability disclosure is a trickier field than most. Medical devices, cars, and power plants are much more sensitive than a random kid's iPhone; that's why groups like I Am The Cavalry are trying to address the issue industry-wide.
However, to answer the original question: don't drop a pacemaker 0day at DEF CON. Find a way to fix the problem with the vendor instead. At the very "worst," demo without vulnerability or exploit details.
[+] [-] croggle|11 years ago|reply
[+] [-] fiatmoney|11 years ago|reply
- Contact the customers. They'll likely have standing to sue (they were sold a defective product).
- Class-action attorneys may be interested for this reason.
- Did you know you can pay a very, very modest amount of money to file a press release saying anything you want?
- Contact some investors. Short sellers will have a vested interest in making sure the information gets widely publicised.
[+] [-] kmowery|11 years ago|reply
Disclosure of critical vulnerabilities in implantable devices is far more fraught than your normal critical software 0-day. These devices require surgery for replacement, and a small number of those surgeries will have possibly fatal complications. The cost of immediately replacing all existing vulnerable devices could literally be measured in lives. (And that's even assuming that the device manufacturer fixed the problem!)
Implantable software is already a very tricky area, and there's no signs that it'll get any easier.
[1] Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses, http://www.secure-medicine.org/public/publications/icd-study...
[+] [-] zaroth|11 years ago|reply
If you discovered / disclosed a particular way the unit could malfunction and kill someone it seems like that's put in a different class; in that case you're a hero saving lives. But if you report on a technique someone could use to cause the device to malfunction, it's treated completely differently.
I think a related and important message is that pacemaker "malfunctions" should be treated as possibly suspicious.
[+] [-] Kliment|11 years ago|reply
[+] [-] jfoster|11 years ago|reply
For example:
- Announcing a vulnerability has been found and identifying the unresponsive vendor.
- Announcing what the disclosure timeline will be.
- Detailing the product lines known to be affected by the vulnerability.
- Publishing communication with the vendor so far with any details about the vulnerability redacted.
- Private disclosure to professionals (doctors & journalists) to have them independently verify that the vulnerability exists and help with raising awareness.
- Full details about the vulnerability, but no exploit code.
[+] [-] techdragon|11 years ago|reply
[+] [-] ntrepid8|11 years ago|reply
The only instances of "hacking" a pacemaker (or ICD) have been when researchers used a programmer from the manufacturer to "hack" the device.
So it seems super unlikely you know a blue tooth zero day for a pacer.
[+] [-] pbhjpbhj|11 years ago|reply
Someone has linked a PDF of an "ICD study" upthread that shows your contention to be at least partially false.
[+] [-] seehafer|11 years ago|reply
(I used to work for a pacer company)
[+] [-] iancarroll|11 years ago|reply
[+] [-] cpt1138|11 years ago|reply
I don't pretend to be an expert in this area but getting medical equipment approved is a huge undertaking and I don't know what the ramifications of changing anything would be. Say they take your 0day and fix it. Then they have to go through the entire re-certification process again and after however many months or years, NEW patients get the fixed pacemaker. But what about all the old patients?
While I sympathize, the only realistic approach here is to make the consequences for killing someone via a 0day for the "lulz" so drastic that it would certainly legally bleed over into the disclosure. I realize this is the approach we do tend to take here in the US.
[+] [-] xur17|11 years ago|reply
[+] [-] JunkDNA|11 years ago|reply
[+] [-] TheSockStealer|11 years ago|reply
Send that to the company and the media. You are best off also showing documentation that you told the offending company multiple times.
Show don't tell.
[+] [-] neurobro|11 years ago|reply
If this is the case, then wouldn't the same most-people (if made aware of the issue) also agree that it should be illegal for a company's management to ignore life-threatening software flaws in their products after being notified?
I mean illegal as in reckless endangerment or manslaughter, not illegal as in lawsuits and golden parachutes.
[+] [-] NamTaf|11 years ago|reply
I'm sort of glad, in a twisted way, that this has finally happened. Better the light get cast on this now than in a few years once the criminal(/nation-state...) equivalents have had time to go through it themselves.
[+] [-] clarky07|11 years ago|reply
[1]http://abcnews.go.com/US/vice-president-dick-cheney-feared-p...
EDIT: Also, no you shouldn't release a pacemaker 0day. As others have said, expose it without releasing details. Makes for a nice demo.
[+] [-] Taek|11 years ago|reply
Personally, I think it's completely unacceptable the way many technologies critical to keeping people alive are so vulnerable. Especially if the vulnerabilities are as widespread as the article suggests (30%!), find a list of 10-20 that vary in importance. List all the products, and list the consequences of each vulnerability.
Then start dropping 0-days one at a time until the industry realizes you are serious. Start with the less severe ones, but if the pacemaker vulnerability hasn't been addressed after a few months of weekly vulnerability releases, don't hold back. The more publicity you can get the more likely a company is to patch vulnerabilities.
If _teenagers_ are capable finding vulnerabilities that can end lives using a script they downloaded online, then we need to be ready to take drastic action. The industry is in a terrible state and we aren't safe, and decreasingly so as these gaping holes continue to sit there and be discovered.
[+] [-] watty|11 years ago|reply
Don't even get me started about the Nazi analogy...
[+] [-] chrismorgan|11 years ago|reply
It could potentially also depend on how easily the vulnerability can be patched—one that can be patched remotely can be dealt with much more rapidly than one that will require surgery to replace the device. If one assumes that full disclosure will lead to the fixing of the issue, the first class is probably closer to being judged “responsible” than the second.
It is certainly a difficult dilemma. The correct answer can only be known with the benefit of hindsight…
[+] [-] robszumski|11 years ago|reply
It's a product that has a flaw. Seems like it qualifies for a public recall.
[+] [-] s_tec|11 years ago|reply
After all, black-market exploits will come, and people will die, whether you disclose the vulnerability or not. At least with disclosure, the innocent have a chance to protect themselves.
You must weigh the lives lost to silence against the lives lost to disclosure. We practice disclosure in all other areas of computer security because we have seen the cost of silence too many times. There is no reason it should be different here.
Disclosure saves lives.