Collective Intelligence Podcast, Billy Rios on Medical Device Security
Implantable cardiac devices and insulin delivery systems were on the front lines of critical medical device security research during the recent Black Hat security conference. Researcher Billy Rios of WhiteScope LLC and his collaborator Jonathan Butts delivered a talk outlining exploitable vulnerabilities in these medical devices, and the challenges associated with manufacturer Medtronic’s hesitance to remediate all 10 of the issues privately disclosed by Rios and Butts.
In this episode of the Collective Intelligence podcast, Rios and Editorial Director Mike Mimoso discuss the research into Medtronic devices and the risks posed to patients, such as potential alterations to life-saving therapy. Rios also covers some of the vulnerabilities, including a lack of cryptographic code-signing of updates present in Medtronic’s software delivery network, as well as the fact that the underlying operating system is the long-retired Windows XP, which is no longer supported with security updates.
Rios also talks about the challenges and two-year back-and-forth between the researchers and Medtronics to patch all of the issues privately disclosed to the company. The manufacturer has addressed some vulnerabilities but still has not included code signing, for example, and in a statement earlier this year called the residual risks “controlled” and the risk to patients therefore “acceptable.” Rios counters that a manufacturer should not be making those judgment calls for patients, and hopes that awareness of the issue will nudge physicians and the Food and Drug Administration to lock down the security of these and other medical devices.
Rios also describes an interaction he had at Black Hat with the mother of a patient with an implanted medical device, putting a real face on the critical risks patients face.
The Collective Intelligence Podcast, presented by Flashpoint and hosted by Editorial Director Mike Mimoso, features regular interviews with a diverse set of industry experts and Flashpoint analysts on the latest information security news and industry trends.
Michael Mimoso brings over a decade of experience in IT security news reporting to Flashpoint. As Editorial Director, he collaborates with marketing, analyst, and leadership teams to share the company’s story. Prior to Flashpoint, Mike was as an Editor of Threatpost, where he covered security issues and cybercrime affecting businesses and end-users.
Prior to joining Threatpost, Mike was Editorial Director of the Security Media Group at TechTarget and Editor of Information Security magazine where he won several ASBPE national and regional writing awards. In addition, Information Security was a two-time finalist for national magazine of the year. He has been writing for business-to-business IT publications for 11 years, with a primary focus on information security.
Earlier in his career, Mike was an editor and reporter at several Boston-area newspapers. He holds a bachelor’s degree from Stonehill College in North Easton, Massachusetts.