(Ir)responsible Disclosure
Computers have become an essential part of our lives, and in some cases, they are even responsible for keeping us alive. Our dependency to use computers for medical treatments such as diagnostic equipment, medical monitors and even life support is greater than ever. Technology has given the medical sector new and inspirational ways to continue to save people’s lives. However, with anything, it’s important to understand the possible risks.
A recent public vulnerability disclosure raised eyebrows and ethical questions around white hackers and how security vendors should best handle sensitive situations. On August 25, MedSec, a cybersecurity research company dedicated to serve the healthcare industry, publically disclosed alleged vulnerabilities in pacemakers developed by St. Jude Medical, a medical device manufacturer. While vulnerability disclosures in various pieces of equipment are not an uncommon occurrence, this time two controversial issues sprung up.
- First, unlike most disclosures, the vulnerabilities were announced publically without any attempt to responsibly disclose them to the manufacturing company beforehand. It is important to note there are no laws related to responsible disclosure, and it is maintained mainly as an industry best practice.
- Second, MedSec disclosed the alleged vulnerabilities to Muddy Waters, an investment research firm before notifying St. Jude Medical. In turn, this allowed MedSec to make a profit from their discovery by short-selling St. Jude Medical’s stock prior to announcing the vulnerabilities. The announcement did in fact cause a significant drop in the stock’s value, which lost more than 8%.
According to MedSec the reason they chose this course of action was two-fold: ensuring St. Jude Medical promptly fixes the vulnerabilities, and to cover the expenses of their vast research efforts that led to the discovery of the alleged vulnerabilities.
When a vulnerability is disclosed, the first question that should come to mind is around the people affected. In this case it’s important to understand the potential risk to people who have vulnerable pacemakers implanted. What does this mean for them? Public unaddressed zero-day vulnerabilities are infinitely more dangerous than arcane ones. Without public knowledge, most hackers would not be able to find the vulnerability in the first place, especially vulnerabilities that require a dedicated long term research with specific specialties – it’s too much time and resource-consuming when they can use known flaws for exploitation.
This is where it gets muddy. Now this alleged vulnerability is public, if it does exist; it’s safe to assume criminals are trying to exploit it and security measures to address it are top priority. However, since the vulnerability wasn’t brought to the attention of St. Jude Medical beforehand, there’s unease and confusion – publically. St. Jude Medical has denied the allegations, stating the devices which were in fact acting as planned. In addition, researchers from the University of Michigan raised doubt regarding the conclusions of the MedSec report, stating, “The evidence does not support their conclusions.” While the issue has yet to be fully resolved, patients worldwide are left hanging, not knowing whether they are in fact at risk. This type of situation can only be avoided by working closely with the manufacture to assess the vulnerabilities and mitigate them.
Responsible disclosure is a method for stakeholders to be on the same page. There is an agreement of a period of time for the vulnerability to be patched before going public with the details. While setting rules might be complicated, due to the different nature of the various vulnerabilities found today, some agree guidelines should be put in place.
Since responsible disclosure is not required by law, many companies offer bounties as an incentive for reporting vulnerabilities and bugs directly to them instead of going public. However, this system has its couple faults. As in this case with Apple, the manufacturing company can be outbid, and while the responsible choice should be disclosing the vulnerability for it to be fixed, it could be more profitable to disclose it elsewhere. In addition, companies can use the responsible disclosure process to hush or play down vulnerabilities, and even stall fixing them leaving devices exposed to be exploited and the affected unaware.
This case also introduces an additional ethical debate around white hackers leveraging their research to influence the stock market for financial gain. As details of this on-going case are coming to light, MedSec and Muddy Waters profited from shorting a stock they knew would fall. Just imagine if security hackers started using their ‘do-good’ research to profit financially by short selling the company’s stock knowing that once they revealed the vulnerability there would be a sharp decline in their stock value. If this scenario is copied by additional actors, the results for users’ security could be severe.
As a longtime member of the security community, Check Point believes white hats and security vendors should keep the users’ safety top priority. It’s important to tread carefully in controversial issues, and do the utmost to follow the responsible disclosure process. Check Point has practiced responsible disclosure in the past, and will continue to do so in the future.