The news last week was that the U.S. House Energy & Commerce Committee has asked the Government Accountability Office to investigate the security of the software that runs medical devices. But a prominent researcher says that security flaws in such devices are common, and that more federal oversight is necessary to change what he describes as a culture of lax security among medical device makers.
In this exclusive Threatpost podcast, Kevin Fu, an Associate Professor of Computer Science at the University of Massachusetts, Amherst, tells Threatpost editor Paul Roberts that the hack of a commercially available insulin pump earlier this month at the DEFCON hacker conference is nothing unusual. Fu and fellow researchers recently presented an analysis of a common Automatic External Defibrillator (AED) that found problems that included buffer overflow vulnerabilities and insecure password management and enforcement. Along with Prof. Dina Katabi of MIT, Fu is looking into methods for jamming implantable medical devices (IMDs). to prevent them from being wirelessly tampered with. Software vulnerabilities, including those that may be remotely exploitable, are increasingly common as implanted medical devices use wireless technology for management and diagnostic purposes, Fu says.