A choice quote from the abstract:
"The Food and Drug Administration (FDA) is responsible for evaluating the risks of new devices and monitoring the safety and efficacy of those currently on market. However, the agency is unlikely to scrutinize the software operating on devices during any phase of the regulatory process unless a model that has already been surgically implanted repeatedly malfunctions or is recalled. The FDA has issued 23 recalls of defective devices during the first half of 2010, all of which are categorized as Class I, meaning there is 'reasonable probability that use of these products will cause serious adverse health consequences or death.' At least six of the recalls were likely caused by software defects."
Not by design -- although I am not complaining -- I am considered the father of the field of what I refer to as Bionic Hacking (others prefer cybernetic hacking). Having evangelized the subject matter for some years now, this is why I am especially happy to see this research released.
The four researchers warn that the FDA's lack of regulation and flexibility are creating potentially immense future liability; issues such as a vendor not being there to correct a future vulnerability is a main concern:
"At the very least, we urge the FDA to establish a repository of medical device software running on implanted IMDs in order to ensure continued access to source code in the event of a catastrophic failure, such as the bankruptcy of a device manufacturer"
While I am happy this realm of security is getting more attention, I hope the FDA is more serious than the security industry. I can't help but be skeptical that before some sort of disaster happens, whether to us or someone else, the controls put in place will be inadequate, to say the least.
Follow Gadi Evron on Twitter: http://twitter.com/gadievron.
Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.