St. Jude Medical, Inc. (STJ): Still Non-Secure
This past Friday, STJ published a response to the report MWC issued the day before. STJ’s response contained very little substance, and actually included admissions to several key points. There are no changes to MedSec or our conclusions about the lack of security in the STJ device ecosystem, and our belief in the need for recall and remediation.
There were two components to STJ’s response: substance (~20%) and fluff (~80%). We first address the substance.
1. STJ responded that users would have to be within seven feet of a [email protected] in order to be vulnerable to attacks, including the attacks that MedSec demonstrated.2 This struck us as a bizarre statement because:
- It acknowledges that the hundreds of thousands of active [email protected] users who sleep near their [email protected] would obviously be vulnerable to a large-scale attack when connected to the devices for a continuous time period.
- It completely ignores our comments about broadcasting an attack through a software-defined radio (“SDR”), which can be paired with a significantly more powerful antenna. (MedSec has already demonstrated though a proof of concept this is possible via a SDR.) Because the security on the [email protected] device is seemingly so poor, it would be relatively easy for an attacker to develop software that runs on a laptop, communicates with the implantable devices, and is broadcast from a more powerful antenna. We discussed SDRs twice in the report, referring to a “software defined radio”.
2. STJ seems to want to give the impression that its software updates addressed “the majority” of the vulnerabilities MedSec identified. The below statement from STJ’s response seems to be an admission that a) STJ is aware it distributed devices with serious vulnerabilities, and b) STJ believes some vulnerabilities still exist on the device. Moreover, it is not an explicit statement that its updates have addressed these issues.
“Our analysis concluded that the majority of the observations in the report apply to older versions of the [email protected] devices (i.e., those that have not been updated through the automated remote upgrade process).”
If STJ were to expressly state that its software updates addressed all of the findings, such a statement would strike us as completely wrong. STJ seems not to understand that many of the issues identified by MedSec on the [email protected] device cannot be addressed with software updates alone, in part due to open UART, JTAG, and SPI interfaces; and, removable NAND. The large number of available devices, combined with the seeming lack of protection makes the job of an adversary much easier.
Finally, STJ did not address that it has produced programmers with removable, unencrypted hard drives.
3. STJ stated that MedSec’s claim that the ability to impersonate any device in the STJ ecosystem is speculative. MedSec is confident it is correct because the communications protocol used between devices does not sufficiently authenticate the end points. In other words, authentication was not built in to the communications protocol used between devices.
4. STJ showed its poor understanding of security when it stated that [email protected] encrypts communications it sends. This appeared to be an attempt to impress readers with a specific purported security feature of the device.
“The data transferred by [email protected] are fully encrypted and meet or exceed all applicable national data privacy and security requirements in all countries where the Merlin.net PCN is used.”
In actuality, STJ’s communications protocol uses a simple data mixing technique to address performance, not data protection. St. Jude Medical’s own supplier, Zarlink, refers to this as “whitening” rather than encryption. In MedSec’s opinion, this method doesn’t even come close to the most basic encryption protections expected to protect patient data.
5. STJ disputes that its ICD was “crashed” by the attack. We have posted a video of a crash attack test on a pacemaker.6 We invite STJ to explain what is going on with its pacemaker. The video is available at https://vimeo.com/180593205
We now address the fluff. We engaged a firm to do a credibility analysis of STJ’s response. The following analysis, prepared by a former Central Intelligence Agency behavioral analyst and polygrapher, indicates deception throughout the response. Many of these indicia are in the portions of the response we label “fluff”. The analysis is published as presented to Muddy Waters Capital LLC, and redacted only to protect the identity of the former CIA officer.
Credibility Assessment: St. Jude Medical (STJ)
27 August, 2016
This analysis of St. Jude Medical’s (STJ) 26 August, 2016 response to Muddy Waters Capitals’ (MWC) report, released 25 August, 2016, reveals multiple indicators associated with deception. Outlined below are the portions of their response which offer the clearest display of such indicators. It is not uncommon for indicators to appear in clusters within a response-onsetwindow in a traditional question and answer exchange. In the case of a written response, such as this, a more global assessment is made. As a general rule the greater the number of indicators identified the higher the likelihood of deception. For the sake of length I have in some places condensed, paraphrased, or summarized statements made by each party. In other places, where it is more beneficial, I have included full transcription.
The conclusions reached in this analysis are the independent opinions of the behavioral analyst and in no way or part constitute a buy or sell recommendation of the underlying security. Be advised that the deception detection protocol is not foolproof and is somewhat dependent on the size and quality of the data sample being analyzed. Errors and omissions may be contained herein.
Convincing Statements are used by deceptive persons in an attempt to manage the perception of their accuser towards the positive. The underlying goal of this linguistic device is to convince the other party that the accused would never do the thing they are accused of because they are not that kind of person, or in this case, that kind of company. When one cannot clearly show through the presentation of facts that they did not do the bad thing, then they must resort to another approach. Focusing on the kind of person/company they are is a subtle diversion away from the actual actions they took or failed to take – the bad thing they are being accused of. When used by corporations, as opposed to individuals defending themselves, Convincing Statements often take the form of sales language, canned corporate speak, and highly generalized statements that contain very little real information. STJ’s response contains a litany of these Convincing Statements:
“Our top priority is to reassure our patients….”
“St. Jude Medical stands behind the security and safety….”
“St. Jude Medical will remain ever vigilant and dedicated….”
“…..are not aware of such threats and will remain vigilant to the…..”
“We recognize the importance of providing physicians with up-to-date and accurate information in a timely and responsible manner…”
“Patient safety has always been our top priority and we have every reason to believe….”
Don’t be fooled by the fact that this kind of language is used often – deception is a very common part of human communication. It is the dense cluster of these statements in a relatively short rebuttal that indicates deception.
Exclusionary Qualifiers are used by deceptive persons when they wish to deny a specific portion of an