Medtronic partners with cybersecurity startup Sternum to protect its pacemakers from hackers

If you think cyberattacks are scary, what if those attacks were directed at your cardiac pacemaker? Medtronic, a medical device company, has been in hot water over the last couple of years because its pacemakers were getting hacked through their internet-based software updating systems. But in a new partnership with Sternum, an IoT cybersecurity startup based in Israel, Medtronic has focused on resolving the issue.

The problem was not with the medical devices themselves, but with the remote systems used to update the devices. Medtronic’s previous solution was to disconnect the devices from the internet, which in and of itself can cause other issues to arise.

“Medtronic was looking for a long-term solution that can help them with future developments,” said Natali Tshuva, Sternum’s founder and CEO. The company has already secured about 100,000 Medtronic devices.

Sternum’s solution allows medical devices to protect themselves in real-time. 

“There’s this endless race against vulnerability, so when a company discovers a vulnerability, they need to issue an update, but updating can be very difficult in the medical space, and until the update happens, the devices are vulnerable,” Tshuva told TechCrunch. “Therefore, we created an autonomous security that operates from within the device that can protect it without the need to update and patch vulnerabilities,” 

However, it is easier to protect new devices than to go back and protect legacy devices. Over the years hackers have gotten more and more sophisticated, so medical device companies have had to figure out how to protect the devices that are already out there.  

 “The market already has millions — perhaps billions — of medical devices connected, and that could be a security and management nightmare,” Tshuva added.

In addition to potentially doing harm to an individual, hackers have been taking advantage of device vulnerability as the gateway of choice into a hospital’s network, possibly causing a breach that can affect many more people. Tshuva explained that hospital networks are secured from the inside out, but devices that connect to the networks but are not protected can create a way in.

In fact, health systems have been known to experience the most data breaches out of any sector, accounting for 79% of all reported breaches in 2020. And in the first 10 months of last year, we saw a 45% increase in cyberattacks on health systems, according to data by Health IT Security.

In addition to Sternum’s partnership with Medtronic, the company also launched this week an IoT platform that allows, “devices to protect themselves, even when they are not connected to the internet,” Tshuva said.

Sternum, which raised about $10 million to date, also offers cybersecurity for IoT devices outside of healthcare, and according to Tshuva, the company focuses on areas that are “mission-critical.” Examples include railroad infrastructure sensors and management systems, and power grids.

Tshuva, who grew up in Israel, holds a master’s in computer science and worked for the Israeli Defense Force’s 8200 unit — similar to the U.S.’s National Security Alliance — said she always wanted to make an impact in the medical field. “I looked to combine the medical space with my life, and I realized I could have an impact on remote care devices,” she said.

Facebook brings software subscriptions to the Oculus Quest

Subscription pricing is landing on Facebook’s Oculus Store, giving VR developers another way to monetize content on Facebook’s Oculus Quest headset.

Developers will be allowed to add premium subscriptions to paid or free apps, with Facebook assumedly dragging in their standard percentage fee at the same time. Oculus and the developers on its platform have been riding the success of the company’s recent Quest 2 headset, which Facebook hasn’t detailed sales numbers on but has noted that the months-old $299 headset has already outsold every other Oculus headset sold to date.

Subscription pricing is an unsurprising development but signals that some developers believe they have a loyal enough group of subscribers to bring in sizable bits of recurring revenue. Facebook shipped the first Oculus Rift just over five years ago, and it’s been a zig-zagging path to finding early consumer success during that time. A big challenge for them has been building a dynamic developer ecosystem that offer something engaging to users while ensuring that VR devs can operate sustainably.

At launch, there are already a few developers debuting subscriptions for a number of different app types, spanning exercise, meditation, social, productivity and DJing. In addition to subscriptions, the new monetization path also allows developers to let users try out paid apps on a free trial basis.

The central question is how many Quest users there are that utilize their devices enough to justify a number of monthly subscriptions, but for developers looking to monetize their hardcore users, this is another utility that they likely felt was missing from the Oculus Store.

Grocery startup Mercato spilled years of data, but didn’t tell its customers

A security lapse at online grocery delivery startup Mercato exposed tens of thousands of customer orders, TechCrunch has learned.

A person with knowledge of the incident told TechCrunch that the incident happened in January after one of the company’s cloud storage buckets, hosted on Amazon’s cloud, was left open and unprotected.

The company fixed the data spill, but has not yet alerted its customers.

Mercato was founded in 2015 and helps over a thousand smaller grocers and specialty food stores get online for pickup or delivery, without having to sign up for delivery services like Instacart or Amazon Fresh. Mercato operates in Boston, Chicago, Los Angeles, and New York, where the company is headquartered.

TechCrunch obtained a copy of the exposed data and verified a portion of the records by matching names and addresses against known existing accounts and public records. The data set contained more than 70,000 orders dating between September 2015 and November 2019, and included customer names and email addresses, home addresses, and order details. Each record also had the user’s IP address of the device they used to place the order.

The data set also included the personal data and order details of company executives.

It’s not clear how the security lapse happened since storage buckets on Amazon’s cloud are private by default, or when the company learned of the exposure.

Companies are required to disclose data breaches or security lapses to state attorneys-general, but no notices have been published where they are required by law, such as California. The data set had more than 1,800 residents in California, more than three times the number needed to trigger mandatory disclosure under the state’s data breach notification laws.

It’s also not known if Mercato disclosed the incident to investors ahead of its $26 million Series A raise earlier this month. Velvet Sea Ventures, which led the round, did not respond to emails requesting comment.

In a statement, Mercato chief executive Bobby Brannigan confirmed the incident but declined to answer our questions, citing an ongoing investigation.

“We are conducting a complete audit using a third party and will be contacting the individuals who have been affected. We are confident that no credit card data was accessed because we do not store those details on our servers. We will continually inform all authoritative bodies and stakeholders, including investors, regarding the findings of our audit and any steps needed to remedy this situation,” said Brannigan.


Know something, say something. Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more

Google’s FeedBurner moves to a new infrastructure but loses its email subscription service

Google today announced that it is moving FeedBurner to a new infrastructure but also deprecating its email subscription service.

If you’re an internet user of a certain age, chances are you used Google’s FeedBurner to manage the RSS feeds of your personal blogs and early podcasts at some point. During the Web 2.0 era, it was the de facto standard for feed management and analytics, after all. Founded in 2004, with Dick Costolo as one of its co-founders (before he became Twitter’s CEO in 2010), it was acquired by Google in 2007.

Ever since, FeedBurner lingered in an odd kind of limbo. While Google had no qualms shutting down popular services like Google Reader in favor of its ill-fated social experiments like Google+, FeedBurner just kept burning feeds day in and day out, even as Google slowly deprecated some parts of the service, most notably its advertising integrations.

I don’t know that anybody spent a lot of time thinking about the service and RSS has slowly (and sadly) fallen into obscurity, yet the service was probably easy enough to maintain that Google kept it going. And despite everything, shutting it down would probably break enough tools for publishers to create quite an uproar. The TechCrunch RSS feed, to which you are surely subscribed in your desktop RSS reader, is http://feeds.feedburner.com/TechCrunch/, after all.

So here we are, 14 years later, and Google today announced that it is “making several upcoming changes to support the product’s next chapter.” It’s moving the service to a new, more stable infrastructure.

But in July, it is also shutting down some non-core features that don’t directly involve feed management, most importantly the FeedBurner email subscription service that allowed you to get emailed alerts when a feed updates. Feed owners will be able to download their email subscriber lists (and will be able to do so after July, too). With that, Blogger’s FollowByEmail widget will also be deprecated (and hey, did you start this day thinking you’d read about FeedBurner AND Blogger on TechCrunch without having to travel back to 2007?).

Google stresses that other core FeedBurner features will remain in place, but given the popularity of email newsletters, that’s a bit of an odd move.

New Quest 2 software brings wireless PC streaming, updated ‘office’ mode

After a relatively quiet couple of months from Oculus on the software front, Facebook’s VR unit is sharing some details on new functionality coming to its Quest 2 standalone headset.

The features, which include wireless Oculus Link support, “Infinite Office” functionality and upcoming 120hz support will be rolling out in the Quest 2’s upcoming v28 software update. There’s no exact word on when that update is coming but the language in the blog seems to intimate that the rollout is imminent.

The big addition here is a wireless version of Oculus Link which will allow Quest 2 users to stream content from their PCs directly to their standalone headsets, enabling more graphics-intensive titles that were previously only available on the now pretty much defunct Rift platform. Air Link is a feature that will enable users to ditch the tethered experience of Oculus Link, though many users have been relying on third-party software to do this already, utilizing Virtual Desktop.

It appears this upgrade is only coming to Quest 2 users in a new experimental mode, but not owners of the original Quest headset. Users will need to update the Oculus software on both their Quest 2 and PC to the v28 version in order to use this feature.

Accompanying the release of Air Link in this update is new features coming to “Infinite Office” a VR office play that aims to bring your keyboard and mouse into VR and allow users to engage with desktop-style software. Facebook debuted it back at their VR-focused Facebook Connect conference, but they haven’t said much about it since.

Today’s updates include added keyboard support that not only allows users to link their device but see it inside VR, this support is limited to a single model from a single manufacturer (the Logitech K830) but Facebook says they’ll be adding support down the road to other keyboards. Users with this keyboard will be able to see outlines of their hands as well as a rendering of the keyboard in its real position, enabling users to accurately type (theoretically). Infinite Office will also allow users to designate where their real world desk is, a feature that will likely help users orient themselves. Even with a keyboard, there’s not much users can do at the moment beyond accessing the Oculus Browser it seems.

Lastly, Oculus is allowing developers to sample out 120hz frame rate support for their titles. Facebook says that there isn’t actually anything available with that frame rate yet, not even system software, but that support is here for developers in an experimental fashion.

Oculus says the new software update will be rolling out “gradually” to users.

FBI launches operation to remotely remove Microsoft Exchange server backdoors

A Texas court has authorized an FBI operation to “copy and remove” backdoors from hundreds of Microsoft Exchange email servers in the United States, months after hackers used four previously undiscovered vulnerabilities to attack thousands of networks.

The Justice Department announced the operation on Tuesday, which it described as “successful.” It’s believed this is the first known case of the FBI effectively cleaning up private networks following a cyberattack.

In March, Microsoft discovered a new China state-sponsored hacking group — Hafnium — targeting Exchange servers run from company networks. The four vulnerabilities when chained together allowed the hackers to break into a vulnerable Exchange server and steal its contents. Microsoft fixed the vulnerabilities but the patches did not close the backdoors from the servers that had already been breached. Within days, other hacking groups began hitting vulnerable servers with the same flaws to deploy ransomware.

The number of infected servers dropped as patches were applied. But hundreds of Exchange servers remained vulnerable because the backdoors are difficult to find and eliminate, the Justice Department said in a statement.

“This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks,” the statement said. “The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).”

The FBI said it’s attempting to inform owners via email of servers from which it removed the backdoors.

Assistant attorney general John C. Demers said the operation “demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions.”

The Justice Department also said the operation only removed the backdoors, but did not patch the vulnerabilities exploited by the hackers to begin with or remove any malware left behind.

Neither the FBI nor the Justice Department commented by press time.

 

How one founder identified a huge healthcare gap and acquired the skills necessary to address it

Our new podcast Found is now available, and the first episode features guest Iman Abuzeid, co-founder and CEO of Incredible Health. Abuzeid’s story of founding and building Incredible Health, a career platform for healthcare professionals focusing specifically on nurses, is all about a focused entrepreneur building a unique skill set, and acquiring the experience necessary to create a world-leading solution.

Abuzeid went to medical school and acquired her MD, but decided before residency to instead go get an MBA from Wharton, in order to pursue her dream of entrepreneurship, inspired by two generations of entrepreneurs in the family that preceded her. After eventually making her way to Silicon Valley and working in a couple of other startups in the healthcare space, Abuzeid took important lessons away from those experiences about what not to do when running your own company, and embarked on building her own with co-founder Rome Portlock, now the company’s CTO.

Incredible Health is tackling a huge challenge — the shortfall of availability of skilled nurses, and the lack of mature, sophisticated career resources to help those nurses in their professional life. COVID-19 threw those issues into stark relief, and Incredible Health adjusted its game plan to adapt to its users’ needs. Abuzeid tells us all about how she made those calls, and also how she convinced venture investors to come along for the ride.

We hope you enjoy this episode, and don’t forget to subscribe in Apple Podcasts, Spotify, or your podcast app of choice. We’d love to hear your feed back, too — either on Twitter or via email, and tune in weekly for more episodes.

Found is hosted by Darrell Etherington and Jordan Crook, and is produced, mixed and edited by Yashad Kulkarni. TechCrunch’s audio products are managed by Henry Pickavet, and Bryce Durbin created the show’s artwork. Found published weekly on Friday afternoons, and you can find past episodes on TechCrunch here.

Scale CEO Alex Wang and Accel’s Dan Levine explain why sometimes unconventional VC deals are best

Few companies have done better than Scale at spotting a need in the AI gold rush early on and filling that gap. The startup rightly identified that one of the tasks most important to building effective AI at scale — the laborious exercise of tagging data sets to make them usable in properly training new AI agents — was one that companies focused on that area of tech would also be most willing to outsource. CEO and co-founder Alex Wang credits their success since founding, which includes raising over $277 million and achieving break-even status in terms of revenue, to early support from investors including Accel’s Dan Levine.

Accel haș participated in four of Scale’s financing rounds, which is all of them unless you include the funding from YC the company secured as part of a cohort in 2016. In fact, Levine wrote one of the company’s very first checks. So on this past week’s episode of Extra Crunch Live, we spoke with Levine and Wang about how that first deal came together, and what their working relationship has been like in the years since.

Scale’s story starts with a pivot, and with a bit of rule-breaking, too — Wang went off the typical YC book by speaking to investors prior to demo day when Levine cold-emailed him after seeing Scale on Product Hunt. The Product Hunt spot wasn’t planned, either — Wang was as surprised to see his company there as anyone else. But Levine saw the kernel of something with huge potential, and despite being a relative unknown in VC at the time, didn’t want to let the opportunity pass him, or Wang, by.

Both Wang and Levine were also able to provide some great feedback on decks submitted to our regular Pitch Deck Teardown segment, despite the fact that Levine actually never saw a pitch deck from Wang before investing (more on that later). If you’d like your pitch deck reviewed by experienced founders and investors on a future episode, you can submit your deck here.

Knowing when to bend the rules

As mentioned, Levine and Accel’s initial investment in Scale came from a cold email sent after the company appeared on Product Hunt. Wang said the team had just put out an early version of Scale, and then noticed that it was up on Product Hunt — it was submitted by someone else. The community response was encouraging, and it also led to Levine reaching out via email.

“One of the side effects of that, one of the outcomes, was that we got this cold email from Dan,” he said. “We really knew nothing about Dan until his cold email. So like many great stories that started with a bold, cold email. And we were pretty stressed about it at the time, because in YC, they tell you pretty definitively, ‘Hey, don’t talk to a VC during the batch,’ and we were squarely in the middle of the batch.”

Wang and the team were so nervous that they even considered “ghosting” Dan despite his obvious interest and the prestige of Accel as an investment firm. In the end, they decided to “go rogue” and respond, which led to a meeting at the Accel offices in Palo Alto.

APKPure app contained malicious adware, say researchers

Security researchers say APKPure, a widely popular app for installing older or discontinued Android apps from outside of Google’s app store, contained malicious adware that flooded the victim’s device with unwanted ads.

Kaspersky Lab said that it alerted APKPure on Thursday that its most recent app version, 3.17.18, contained malicious code that siphoned off data from a victim’s device without their knowledge, and pushed ads to the device’s lock screen and in the background to generate fraudulent revenue for the adware operators.

But the researchers said that the malicious code had the capacity to download other malware, potentially putting affected victims at further risk.

The researchers said the APKPure developers likely introduced the malicious code, known as a software development kit or SDK, from an unverified source. APKPure removed the malicious code and pushed out a new version, 3.17.19, and the developers no longer list the malicious version on its site.

APKPure was set up in 2014 to allow Android users access to a vast bank of Android apps and games, including old versions, as well as app versions from other regions that are no longer on Android’s official app store Google Play. It later launched an Android app, which also has to be installed outside Google Play, serving as its own app store to allow users to download older apps directly to their Android devices.

APKPure is ranked as one of the most popular sites on the internet.

But security experts have long warned against installing apps outside of the official app stores as quality and security vary wildly as much of the Android malware requires victims to install malicious apps from outside the app store. Google scans all Android apps that make it into Google Play, but some have slipped through the cracks before.

TechCrunch contacted APKPure for comment but did not hear back.

Watch a monkey equipped with Elon Musk’s Neuralink device play Pong with its brain

Elon Musk’s Neuralink, one of his many companies and the only one currently focused on mind control (that we’re aware of), has released a new blog post and video detailing some of its recent updates — including using its hardware to make it possible for a monkey to play pong with only its brain.

In the video above, Neuralink demonstrates how it used its sensor hardware and brain implant to record a baseline of activity from this macaque (named ‘Pager’) as it played a game on-screen where it had to move a token to different squares using a joystick with its hand. Using that baseline data, Neuralink was able to use machine learning to anticipate where Pager was going to be moving the physical controller, and was eventually able to predict it accurately before the move was actually made. Researchers then removed the paddle entirely, and eventually did the same thing with Pong, ultimately ending up at a place where Pager no longer was even moving its hand on the air on the nonexistent paddle, and was instead controlling the in-game action entirely with its mind via the Link hardware and embedded neural threads.

The last we saw of Neuralink, Musk himself was demonstrating the Link tech live in August 2020, using pigs to show how it was able to read signals from the brain depending on different stimuli. This new demo with Pager more clearly outlines the direction that the tech is headed in terms of human applications, since, as the company shared on its blog, the same technology could be used to help patients with paralysis manipulate a cursor on a computer, for instance. That could be applied to other paradigms as well, including touch controls on an iPhone, and even typing using a virtual keyboard, according to the company.

Musk separately tweeted that in fact, he expects the initial version of Neuralink’s product to be able to allow someone with paralysis that prevents standard modes of phone interaction to use one faster than people using their thumbs for input. He also added that future iterations of the product would be able to enable communication between Neuralinks in different parts of a patient’s body, transmitting between an in-brain node and neural pathways in legs, for instance, making it possible for “paraplegics to walk again.”

These are obviously bold claims, but the company cites a lot of existing research that undergirds its existing demonstrations and near-term goals. Musk’s more ambitious claims, should, like all of his projections, definitely be taken with a healthy dose of skepticism. He did add that he hopes human trials will begin to get underway “hopefully later this year,” for instance – which is already two years later than he was initially anticipating those might start.