St. Jude Medical, Inc. (STJ): Still Non-Secure
This past Friday, STJ published a response to the report MWC issued the day before. STJ’s response contained very little substance, and actually included admissions to several key points. There are no changes to MedSec or our conclusions about the lack of security in the STJ device ecosystem, and our belief in the need for recall and remediation.
There were two components to STJ’s response: substance (~20%) and fluff (~80%). We first address the substance.
1. STJ responded that users would have to be within seven feet of a Merlin@home in order to be vulnerable to attacks, including the attacks that MedSec demonstrated.2 This struck us as a bizarre statement because:
- It acknowledges that the hundreds of thousands of active Merlin@home users who sleep near their Merlin@homes would obviously be vulnerable to a large-scale attack when connected to the devices for a continuous time period.
- It completely ignores our comments about broadcasting an attack through a software-defined radio (“SDR”), which can be paired with a significantly more powerful antenna. (MedSec has already demonstrated though a proof of concept this is possible via a SDR.) Because the security on the Merlin@home device is seemingly so poor, it would be relatively easy for an attacker to develop software that runs on a laptop, communicates with the implantable devices, and is broadcast from a more powerful antenna. We discussed SDRs twice in the report, referring to a “software defined radio”.
2. STJ seems to want to give the impression that its software updates addressed “the majority” of the vulnerabilities MedSec identified. The below statement from STJ’s response seems to be an admission that a) STJ is aware it distributed devices with serious vulnerabilities, and b) STJ believes some vulnerabilities still exist on the device. Moreover, it is not an explicit statement that its updates have addressed these issues.
“Our analysis concluded that the majority of the observations in the report apply to older versions of the Merlin@home™ devices (i.e., those that have not been updated through the automated remote upgrade process).”
If STJ were to expressly state that its software updates addressed all of the findings, such a statement would strike us as completely wrong. STJ seems not to understand that many of the issues identified by MedSec on the Merlin@home device cannot be addressed with software updates alone, in part due to open UART, JTAG, and SPI interfaces; and, removable NAND. The large number of available devices, combined with the seeming lack of protection makes the job of an adversary much easier.
Finally, STJ did not address that it has produced programmers with removable, unencrypted hard drives.
3. STJ stated that MedSec’s claim that the ability to impersonate any device in the STJ ecosystem is speculative. MedSec is confident it is correct because the communications protocol used between devices does not sufficiently authenticate the end points. In other words, authentication was not built in to the communications protocol used between devices.
4. STJ showed its poor understanding of security when it stated that Merlin@home encrypts communications it sends. This appeared to be an attempt to impress readers with a specific purported security feature of the device.
“The data transferred by Merlin@home are fully encrypted and meet or exceed all applicable national data privacy and security requirements in all countries where the Merlin.net PCN is used.”
In actuality, STJ’s communications protocol uses a simple data mixing technique to address performance, not data protection. St. Jude Medical’s own supplier, Zarlink, refers to this as “whitening” rather than encryption. In MedSec’s opinion, this method doesn’t even come close to the most basic encryption protections expected to protect patient data.
5. STJ disputes that its ICD was “crashed” by the attack. We have posted a video of a crash attack test on a pacemaker.6 We invite STJ to explain what is going on with its pacemaker. The video is available at https://vimeo.com/180593205
We now address the fluff. We engaged a firm to do a credibility analysis of STJ’s response. The following analysis, prepared by a former Central Intelligence Agency behavioral analyst and polygrapher, indicates deception throughout the response. Many of these indicia are in the portions of the response we label “fluff”. The analysis is published as presented to Muddy Waters Capital LLC, and redacted only to protect the identity of the former CIA officer.
Credibility Assessment: St. Jude Medical (STJ)
27 August, 2016
This analysis of St. Jude Medical’s (STJ) 26 August, 2016 response to Muddy Waters Capitals’ (MWC) report, released 25 August, 2016, reveals multiple indicators associated with deception. Outlined below are the portions of their response which offer the clearest display of such indicators. It is not uncommon for indicators to appear in clusters within a response-onsetwindow in a traditional question and answer exchange. In the case of a written response, such as this, a more global assessment is made. As a general rule the greater the number of indicators identified the higher the likelihood of deception. For the sake of length I have in some places condensed, paraphrased, or summarized statements made by each party. In other places, where it is more beneficial, I have included full transcription.
The conclusions reached in this analysis are the independent opinions of the behavioral analyst and in no way or part constitute a buy or sell recommendation of the underlying security. Be advised that the deception detection protocol is not foolproof and is somewhat dependent on the size and quality of the data sample being analyzed. Errors and omissions may be contained herein.
Convincing Statements are used by deceptive persons in an attempt to manage the perception of their accuser towards the positive. The underlying goal of this linguistic device is to convince the other party that the accused would never do the thing they are accused of because they are not that kind of person, or in this case, that kind of company. When one cannot clearly show through the presentation of facts that they did not do the bad thing, then they must resort to another approach. Focusing on the kind of person/company they are is a subtle diversion away from the actual actions they took or failed to take – the bad thing they are being accused of. When used by corporations, as opposed to individuals defending themselves, Convincing Statements often take the form of sales language, canned corporate speak, and highly generalized statements that contain very little real information. STJ’s response contains a litany of these Convincing Statements:
“Our top priority is to reassure our patients….”
“St. Jude Medical stands behind the security and safety….”
“St. Jude Medical will remain ever vigilant and dedicated….”
“…..are not aware of such threats and will remain vigilant to the…..”
“We recognize the importance of providing physicians with up-to-date and accurate information in a timely and responsible manner…”
“Patient safety has always been our top priority and we have every reason to believe….”
Don’t be fooled by the fact that this kind of language is used often – deception is a very common part of human communication. It is the dense cluster of these statements in a relatively short rebuttal that indicates deception.
Exclusionary Qualifiers are used by deceptive persons when they wish to deny a specific portion of an accusation, while leaving the door slightly open to other portions. The below is a perfect example:
“Our analysis concluded that the majority of the observations in the report apply to older versions of the Merlin@home devices (i.e., those that have not been updated through the automated remote upgrade process).”
By inserting the word “majority” they are indicating that some of the observations made by MWC apply to more current versions of the Merlin@home devices. If this is true, then they are acknowledging some legitimacy to MWC’s claims. If their primary goal is to ensure the complete security of all of their devices then they would use this opportunity to provide clear guidance to all customers on how to fully secure them. Instead, they offer an additional Convincing Statement coupled with a Perception Qualifier:
“We are confident in the technology that we provide and in our process for continuously building upon our security protocols and processes.”
This statement is a veiled admission to lesser security quality in previous devices – many of which are currently being used by patients – and the need to continue improving their existing security protocols and processes. The insertion of the phrase “We are confident…” is a commonly used Perception Qualifier. Its goal is to add credibility to their assertion without providing fact, as the facts are likely not their ally. Their statement offers no technical, measurable, or quantifiable reason for their confidence…we are just supposed to feel better because they are confident.
Borrowed Credibility. When companies repeatedly refer to regulatory bodies, legal processes, and industry standards, one should be cautious. It is not hard to produce a long list of companies that satisfied all of these requirements while simultaneously committing fraud or gross negligence. Reference to these agencies and processes, therefore, is an attempt to borrow the credibility of those organizations when their credibility is taking a hit.
These references are a critical piece of their Diversion Narrative – a story designed to “look away” from the specific issue to a better story about past compliance with regulatory processes. When your child brings home a report card with four A’s and one D, be prepared for him or her to divert the narrative away from the D to the four A’s. He or she may even be tempted to remind you of past report cards that did not contain any D’s.
The real concern. It is my opinion that STJ tipped their hand in the following statement:
“We recognize the importance of providing physicians with up-to-date and accurate information in a timely and responsible manner so that they can make informed patient care decisions. Our analysis reinforces the need for researchers and manufactures to work together to discuss and resolve potential issues together to avoid unnecessarily alarming patients.”
Their analysis? Are they referring to their analysis of the MWC report? If so, are they consenting to the notion that MWC’s findings represent “potential issues” that require collaboration between “researchers and manufacturers”? Would it not be more correct to say “MWC’s analysis has brought to light multiple issues that underscore the need for researchers and manufacturers to work together to discuss and resolve”? I’d say it does – and constitutes a veiled admission that significant security issues exist. It further points to their frustration with MWC’s public display of their findings, as does the following statement in their opening paragraph: “… while we would have preferred the opportunity to review a detailed account of the information…” The extremely rapid rebuttal produced by STJ, its lack of substance, and the clusters of deceptive behaviors it contains, suggests their core agenda is to inject optimism back into the market, not necessarily the “responsible working together to discuss and resolve potential issues…” tack they purport.
Given the density of the clusters of deceptive indicators in this rebuttal it is highly likely that STJ is being deceptive about the cyber security of its cardiac devices and their knowledge of their existing limitations. Their agenda is to manage the perception of the market in the short term from pessimism to optimism, erode the credibility of the MWC report and present confidence in the face of specific allegations while simultaneously failing (or choosing not) to insert inarguable facts to the contrary.
See the full PDF below.