1. 31
  1.  

  2. 16

    Well, it’s finally happened.

    So in my opinion, what should now happen is that the manufacturer is fined out of existence, the executive team and board are all fined into destitution, and the fear of god is put into everyone else in the market so they actually take security seriously. What I suspect actually will happen is that 465,000 patients pay out of their own pocket or insurance to rectify the incompetence of their medical device supplier, who ends up facing no meaningful repercussions. I really really hope it doesn’t come to actual deaths from poor security practices for us to fix this.

    1. 9

      Karen Sandler has a great talk about this topic.

      What should happen is that the software in these things should be treated like the public good that it is: free for everyone to inspect, audited, with paid and properly trained government employees or contractors to inspect it. When it’s a matter of life and death, this should not be left in the hands of secretive corporations.

      1. 8

        I watched 20 min or so of that talk last night. It was good. The problem is that they’re certainly not going to go FOSS on this stuff. If we want to improve security/quality, we can instead make them go through one or more evaluations by independent pentesters. We can also let academics or new people in pentesting at reputable firms review it under NDA on the code itself w/ responsible disclosure like we ordinarily do. They do this stuff before the product is released, maybe while being developed, with the last one allowed to happen after. This order to reduce costs, increase industry acceptance, and (best for last) kill less people by spotting problems early.

        Just a regulation forcing high-quality development practices followed by strong review will drive quality up. That was evidence by the TCSEC for security and currently DO-178C for safety in aerospace. The latter created an entire ecosystem of tooling including model-based development, static analyzers, certified compilers (or insert tool here), safer languages, graphics stacks, and even companies expediting certification-oriented tasks. Each component is done the best they can since re-certification likely costs more than removing the defect before certification. Then, they re-use what components they can to further reduce certification costs to just new components plus integration specs/code. It’s a proven model.

        I’ll note that neither safety nor security critical stuff allowed wireless by default unless it was absolutely necessary as part of the system. Having radio in military or aerospace is an example. Even then, many products mediate it some way with middleware or at the switch. Type 1-certified, WiFi adapters even address side channels. None of this shit is new in sub-fields with good regulation for safety or security. FDA just seems to have terrible regulation on software side based on everything I’ve seen. That’s on top of the companies’ own BS. Bad combo.

        1. 7

          The problem is that they’re certainly not going to go FOSS on this stuff

          Why the fuck not? We should be demanding it instead of saying “meh, it’ll never happen”. Certainly if we don’t even demand it won’t happen.

          The FDA audits other things about medical devices, why not the software?

          1. 4

            You should do a survey on how many people are “demanding” these things be FOSS versus how many told their elected representatives they wouldn’t vote for them unless it happened versus how many raised funds to pay (lobby) those representatives to make it happen. The tiny, tiny number you’ll get out of that survey of active participants versus comments or likes on social media is why I’m assuming it won’t happen. I’m instead going for compromises with vendors that help consumers with little or no damage to vendors bottom line. Those kind of compromises happen all the time just as a part of doing business (i.e. being competitive).

            Of course, most of them won’t care. So, I try to push quality plus resulting PR as a good differentiator on the companies. On the consumers, I tell them to try to force it. I’m barely active in doing that now past educating them about options when they ask. The participation level is so low on average it’s not even worth trying. Occasionally, like with SOPA or Snowden, something becomes a hot media topic where I can try to push something with folks taking action. Otherwise, I’m focusing on ways to incentivize creating and maintaining better things now. Plus doing it myself with R&D.

            Note: This is the U.S. I’m talking about. The environment in other countries might be better for reformers.

            1. 2

              Sad but true, apart from lobsters/Slashdot/reddit/ars, Schneier, and Stallman, no one cares.

            2. 1

              I can’t think of anything more out of step than current US politics than asking for a major increase in FDA budget to hire a technical staff capable of auditing proprietary software in medical devices. I mean, it’s rational and good policy, but we’ve had 50 years of marketing of the idea that regulation is evil.

          2. 4

            I agree with you, however, software in vehicles affects billions of people a year and we haven’t achieved this so far :(

          3. 2

            Why does that help anyone? Perhaps we’d have better results in the industry if we took the same approach that the NTSB takes to people who make mistakes piloting a plane without killing anyone.

            1. -5

              The patient didn’t have to buy the medical device, did they?

              If I found somebody dying in a desert and gave him some water, do I need to make him sign a waiver that says he won’t sue me if my water isn’t up to WHO drinking water quality standard?

              People need to stop acting as if personal agency ceases to exist as soon as you step into a hospital.

              1. 11

                The patient didn’t have to buy the medical device, did they?

                Are you fucking serious?

                I mean, no, technically they could have chosen to die instead of getting a pacemaker implanted, but if you’re so sociopathic you think that’s a real choice, I feel fully comfortable dismissing everything you have to say out of hand.

                1. 10

                  … This is an exploit that allows anybody within fifty feet to untraceably kill you. How the fuck is that the patient’s fault?

                  1. 3

                    If the patient knew that, then buying it would be their fault if they had alternatives. In her case, she got an older one without wireless. If they patient didn’t know that, blame gets more complicated given how much demand side had to do with us having no or shitty INFOSEC requirements in this area. I still blame the manufacturer by default, though, since safety-critical markets are supposed to assess and mitigate risks where possible. They’re barely trying.

                  2. 8

                    The patient didn’t have to buy the medical device, did they?

                    The patient was not properly informed that the device about to be plucked inside his meat is a malfunctioning and unsecured piece of shit.

                    Go read some Austrians writing about customary law, IDK.

                    1. -4

                      The patient was not properly informed

                      Why didn’t the patient demand a security audit, or to see the result of one?

                      If the patient had, then he was able to make the best decision available to him. If he hadn’t, then who else could be blamed?

                      Why is an insecure device the only option available? Why don’t the patients or would be patients pressuring the manufacturers or the insurers to secure their devices before 465k of them were produced and implanted?

                      We all know people don’t care about security until it kills them or their company. Then they just cry and whine about how the government or the ‘industry’ should have prevented this. When all it needed was consumer demand for secured stuff, but then the blame would be placed squarely on themselves.

                      1. 12

                        Do you audit each and every item that can potentially kill you? That heated toilet seat in the hotel? ABS controller in your vehicle or your Uber ride? Baby formula for your child?

                        Or do you count on manufacturers and regulatory bodies doing their job properly?

                        1. 4

                          It’s called Consumer Reports. They have a large number of subscribers who read up on their functionality and quality assessments of various products before they buy. We call it being a responsible or informed consumer. If it’s a life-critical product, then making the wrong choice can kill you. In that case, it’s certainly the consumer’s responsibility to at least try to assess the risk. I noted in another comment manufacturers were working hard to make that hard to cover up their BS. Regulations, lawsuits, and vote with wallet are solutions to that when such is revealed as in this case.

                          I will note a subset of people can still avoid trouble by just making the connection that an Internet or wireless connection can equal being hacked. There’s a lot of lay people in the Mid-South US that know that. They see hacks in the media all the time. So, they avoid stuff with “too much technology” or Internet-connected if it’s about risk reduction. They’re being forced to make concessions balancing their needs as consumers in things like automobiles where every manufacturer seems to be cramming more computers into their vehicles. A lot of folks still buy older vehicles or appliances, though. I exclusively do with my appliances being more reliable, too. That’s another thing lay people know and can act on: “They don’t build things like they used to. Stuff used to last forever.”

                          1. 3

                            Consumer Reports, do you seriously suggest reading them for about any possibly dangerous item you use?

                            I will note a subset of people can still avoid trouble by just making the connection that an Internet or wireless connection can equal being hacked.

                            I don’t know. Radio has been around for over a century, doesn’t get hacked. TV with bunny ears, doesn’t get hacked in a probably trillion-year of cumulative use worldwide. Why should the users (and potential pacemaker users sure peak out past middle age) expect a certified medical device to be vulnerable?

                            OK let’s take some any medical item that can kill you. Did you ever had a CAT scan or an X-ray? Do you guys read up on them in Consumer Reports? Do you call up the vendor and audit the source code?

                            1. 4

                              “Consumer Reports, do you seriously suggest reading them for about any possibly dangerous item you use?”

                              You’re pulling that and the using it for X-ray machines out of thin air. I offered them as evidence that a lot of people do research on pro’s and con’s of major, buying decisions. Especially on reliability or safety with Underwriters Laboratories testing a lot of them. People also use reviews. Your comment indicated we should expect consumers to do nothing in a market where many suppliers have actively harmed them with that being widespread knowledge among the same consumers. That’s irrational.

                              Consumers should be doing research on something as serious as a pacemaker. They should also be collectively pushing for safety and security regulations. They’re already abuzz on Twitter or Facebook over various device hacks but that’s the limit of most of them’s participation in democracy, research, or buying decisions. I blame them as much as the suppliers given suppliers respond to changes in regulation or demand. Like they did with DO-178B in aerospace or quality in automotive after Toyota proved it was profitable.

                              “Radio has been around for over a century, doesn’t get hacked. “

                              Sure it does. People snooping on radio channels, interference with signals, or messing with people’s WiFi are known risks to large amounts of the general public due to media and/or personal experience. Movies and news stories also periodically feature direct attacks that happen wirelessly. That so many people without technical background connected the dots on this makes me think it’s pretty obvious to anyone paying attention. Many don’t though since apathy or laziness prevails. Some just miss the information or can’t understand it. I don’t judge them.

                              “Did you ever had a CAT scan or an X-ray? Do you guys read up on them in Consumer Reports? Do you call up the vendor and audit the source code?”

                              I ask about the risks. Doing so made me get less of them where possible (not often possible…). If I do take one, I’m also aware we can at least punish the manufacturer in court with a class-action. I also push everyone from consumers to legislators to force effective regulations on those companies for safety or security of built-in electronics. I’ve even recommended specific tools to people who claim to work for such companies to cost-effectively improve safety/security. So, yeah, I do what I can. Just not enough of us doing it with this problem really needing voters to force the suppliers to prevent risks or at least be honest about them. Like we do for food labels with a lot of benefit.

                              1. 2

                                When you asked about the risks of an X-ray, did your radiologist include the machine malfunctioning and killing you? Mine did not, despite the possibility of software or hardware tampering.

                                1. 2

                                  Even with no tampering, https://en.wikipedia.org/wiki/Therac-25

                        2. 9

                          Why didn’t the patient demand a security audit, or to see the result of one?

                          Hahahaha :)

                          1. 5

                            Why didn’t the patient demand a security audit, or to see the result of one?

                            Wow.

                            1. 3

                              We all know people don’t care about security until it kills them or their company. Then they just cry and whine about how the government or the ‘industry’ should have prevented this.

                              To support that point, they also won’t buy it most of the time. The security-focused products usually either die in the market or get minimal sales. The highly-usable software with better security (eg encrypted chat) is avoided for either network effects or just frivilous reasons. The demand side is strongly in favor of taking on risk even for convenience or even just what an app looks like. They’ll take on a known risk then blame others when shit happens. Or they’ll not even try to assess risk of something life-critical followed by saying it’s other people’s fault.

                              This case is trickier to assess in terms of the big picture. The medical vendors added functionality that could get people killed. They didn’t disclose the risks. Based on her report, I’m assuming the doctor was getting paid extra to push that vendor’s product. These are both common things in the market that get patients killed. The pay-offs in particular are so widespread that a major journal gave up one time on trying to find doctors to do independent reviews of medical studies who weren’t taking bribes from one of the companies. I think they raised it to $10k in that situation. Also, Karen Sandler had to work her ass off to even get close to talking to engineers who then blew her off. She’s a persistent, tech-oriented person who couldn’t get the risk assessment.

                              It’s clear that the market failed miserably if it’s about delivering value to the customers, esp saving their lives Alternatively, the market succeeded if it’s about delivering value to the doctors and medical companies while killing lots of their patients or causing recalls. This is a good example of why regulations on security precautions or at least risk disclosures are a good thing. Why those don’t happen is partly the consumers’ fault, though, as they’re rarely taking democratic action against these problems. Only a few of the hundred plus people I’ve talked to about these things even wrote a letter to Congress. The companies’ lobbyists are active as hell, though.

                          2. 2

                            This seems like an odd response to me. Most others responding to you seem more interested in being tribal, which is unfortunate. But surely you must recognize that blame isn’t necessarily on the purchaser, no? If I sell you a device and claim it does x, y and z, and if it falls short of my claim, then I’ve committed fraud. In which case, purchasers of my device would be entitled to some form of restitution.

                            Your analogy falls flat for me, because the relevant bits here are what the seller is claiming they’re selling. And depending on the context, it is easy to see how even private courts can treat different situations based on precedent and standards of reasonableness.

                            1. 1

                              Stop whining about things you don’t understand. Yeah, civilization is complex and it won’t get simpler just because you cry like a baby every time an actual strategy is required. If you can’t cope, learn alone or ask for help.

                              Ancap rulez byatch, I don’t have to understand a shit about the world or care about stupid fucker’s opinion. Sup.

                              Your ideology don’t scale and will lead to a series of wars ending with once again consolidated power or total annihilation. Either improve it or shut the fuck up.

                              1. 1

                                Libertarianism is the bureaucratic ideology.