Researchers Build App That Kills To Highlight Insulin Pump Exploit
Furnished content.
By now the half-baked security in most internet of things (IOT) devices has become a bit of a running joke, leading to amusing Twitter accounts like Internet of Shit that highlight the sordid depth of this particular apathy rabbit hole. And while refrigerators leaking your gmail credentials and tea kettles that expose your home networks are entertaining in their own way, it's easy to lose sight of the fact that the same half-assed security in the IOT space also exists on most home routers, your car, your pacemaker, and countless other essential devices and services your life may depend on.Case in point: just about two years ago, security researchers discovered some major vulnerabilities Medtronic's popular MiniMed and MiniMed Paradigm insulin pumps. At a talk last year, they highlighted how a hacker could trigger the pumps to either withhold insulin doses, or deliver a lethal dose of insulin remotely. But while Medtronic and the FDA warned customers about the vulnerability and issued a recall over time, security researchers Billy Rios and Jonathan Butts found that initially, nobody was doing much to actually fix or replace the existing devices.So Rios and Butts got creative in attempting to convey the scope and simplicity of the threat: they built an app that could use the pumps to kill a theoretical patient:"We've essentially just created a universal remote for every one of these insulin pumps in the world," Rios says. "I don't know why Medtronic waits for researchers to create an app that could hurt or kill someone before they actually start to take this seriously. Nothing has changed between when we gave our Black Hat talk and three weeks ago." To target a specific insulin pump, a hacker would need to know the proper serial number of the device they're targeting. But the app simplifies this process by quickly running through all potential serial numbers until it hits the correct one. The gambit seems to have worked: a week after the team demonstrated its proof of concept app to FDA officials in mid-June of this year, Medtronic announced a voluntary recall program. Years after Medtronic first learned about the flaws in these devices, there's now a structure in place that allows patients to use the devices if they want, and replace them for free if they don't.That said, the researchers are still quick to point out that this kind of dysfunction (offering potentially fatally compromised products but having no avenue to correct them) is fairly common in the medical sector:"...the climate for medical device vulnerability disclosures is still clearly fraught if researchers feel that they need to take extreme, and even potentially dangerous, steps like developing a killer app to spur action."If you think about it, we shouldn't be telling patients, 'hey, you know what, if you want to you could turn on this feature and get killed by a random person.' That makes no sense," QED Security Solutions' Rios says. "There should be some risk acceptance; this is a medical device. But an insecure feature like that just needs to be gone, and they had no mechanism to remove it." And of course that's not just a problem in the medical sector, but most internet-connected tech sectors. As security researcher Bruce Schneier often points out, it's part of a cycle of dysfunction where the consumer and the manufacturer of a flawed product have already moved on to the next big purchase, often leaving compromised products, and users, in a lurch. And more often than not, when researchers are forced to get creative to highlight the importance of a particular flaw, the companies in question enjoy shooting the messenger.
Permalink | Comments | Email This Story
Read more here
posted at: 12:00am on 20-Jul-2019
path: /Policy | permalink | edit (requires password)
Gibson Guitar Formalizes Its Hands-Off IP Enforcement Approach With Authorized Partnership Program
Furnished content.
As I mentioned when we recently discussed Dean Guitars' pushback and counter-suit against Gibson Guitar's trademark lawsuit, Gibson CEO James Curleigh's vague declaration of a relaxed position on IP enforcement has calcified into something of an official corporate program. It's not all bad, but it's not all good either.We'll start with the good. Gibson has decided to recognize that there are fans inspired by its designs who want to create their own guitars and even sell them on occasion. In recognition of this, Gibson is starting an "authorized partnership" program to allow those creators to build guitars without fear of legal threat.The initial stages of the Program will see Gibson grant several boutique builders permission to create guitars based on the body shapes that it claims to own. The agreement involves specific terms set by Gibson, reports NewsChannel 5: chief among them that the boutique brands must acknowledge these shapes do indeed belong to Gibson.“We’ve entered into some agreements with three or four boutique guitar companies, and basically, they actually love Gibson, and we actually love them,” Curleigh said in the interview. “We just have to have a conversation around where the lines are between shapes and names, etc. And what’s amazing is, as soon as we enter into those conversations, it leads to a collaborative, creative conversation. So it’s going to work basically, it’s essentially an agreement where they acknowledge: ‘Yup, these are your shapes,’ and we say, ‘you can use them.'” While it's a step forward for Gibson to enable these companies to create and build off of the inspiration from Gibson, you can already see hints of that old protectionist attitude creeping back in. In order to enter into this sort of agreement, first these companies must bow at the alter of Gibson by acknowledging that it holds trademarks on many of its designs. While that may be something approaching SOP for these types of partnership or licensing agreements, the current legal battle with Dean Guitars puts this very much in question. Whether Gibson does in fact hold valid trademarks on its most treasured guitar designs is subject to the outcome of Dean's counter-suit, in which Dean attempts to invalidate many of those trademarks entirely.Regardless, putting so much emphasis on the acknowledgement that Gibson has these valid trademarks feels like the vestigial remains of the company's old protectionist policies. And, while Curleigh insists that he isn't trying to build this as a revenue stream for Gibson, the agreements do also allow the company to control how many of these 3rd party guitars get sold and to demand royalty fees, so there's that.Add to all of that that Curleigh isn't exactly giving up litigation as an option, too, and one wonders just how much a shift in company culture this is all going to be.“My last resort, I can tell you as a leader, is always going to be legal. But if a company or a brand leaves us, or me, with no choice, I have to follow that direction,” the CEO continued. “I don’t want to, but part of our brand and our business is intellectual property, and kind of half of the value of some companies are in that. We have to preserve and protect [our trademarks], but I think we can do it in a way that’s not confrontational, it’s more collaborative.” These types of subtle changes can indeed have outsized effects, but it's all in the follow through. Again, this is for sure a step in a positive direction for Gibson, which has traditionally been very protective of its perceived IP. What remains to be seen is if this is really the cultural change Curleigh promised.
Permalink | Comments | Email This Story
Read more here
posted at: 12:00am on 20-Jul-2019
path: /Policy | permalink | edit (requires password)
|
|