I’m a believer in responsible disclosure. But…
When diabetic security researcher Jay Radcliffe demonstrated at BlackHat how he could take control of the pump that controls insulin levels in his own body, it seemed quite reasonable that he didn't name the manufacturer because "If I name the vendor, then any bad guy or evil hacker…can start exploit code on it right away."
Having fielded quite a few questions from the press on the topic, I could see the shock value of the demonstration, but I could also see the wisdom of not allowing some ethically-challenged coder the chance to give him the benefit of some unexpected insulin shock therapy. (Oddly enough, I was once involved in the 70s in the care of a patient receiving insulin coma therapy, even though the treatment was usually considered obsolete by then. But I think I'll keep that story for my memoirs.)
However, I note that a Reuter's article today tells us that he has now stated that the company concerned was Medtronic, explaining that the company was downplaying the significance of the vulnerability and urging the public to pressure the firm into reacting more positively.
I'm a believer in responsible disclosure (giving the vendor the opportunity to fix a vulnerability before disclosing it, or at any rate disclosing it fully). But even though the chances are that some member of some real-life Assassin's Guild is not even now furiously hacking a Medtronic pump with the intention of adding an extra weapon to his anti-Radcliffe toolkit, I still have some grudging admiration for Radcliffe's willingness to take the risk of naming the company. After all, I can't see remediation being achieved as quickly as all that.
But I have to wonder whether other Medtronic customers are as happy to share that risk with him.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow