Professor to Congress: ‘Internet of Things security is woefully inadequate’

Michigan Engineering professor Kevin Fu spoke in front of congress on Nov. 16, 2016.

As the Internet of Things grows around us, so do the threat of cybersecurity breaches severe enough to shut down hospitals and other vital infrastructure, a Michigan Engineering professor told federal lawmakers this week.

Kevin Fu, associate professor of computer science and engineering, and director of the Archimedes Center for Medical Device Security, was one of several experts who called for federal security regulation of the Internet of Things (IoT). He spoke to the House Energy and Commerce Committee at the Nov. 16 hearing, “Understanding the Role of Connected Devices in Recent Cyber Attacks.”

On Oct. 21, many high-traffic sites including Paypal, Twitter, Amazon and Netflix went down for several hours due to an IoT-powered attack on web service provider Dyn. Hackers carried out the attack by taking advantage of vulnerabilities in connected consumer devices like webcams and digital video recorders—perhaps millions of them.

While the consequences of the Dyn breach were not major, Fu warned that it demonstrates a gaping security hole as more and more consumer technologies—appliances, thermostats, cars, airplanes, and medical devices—become connected.

“I fear for the day every hospital system is down,” CNN quoted him as saying. “This will require some kind of governmental mandate.”

Companies don’t have enough incentive to do it on their own, he argued.

“We are in this sorry and deteriorating state because there’s almost no cost for a manufacturer to deploy products with poor cybersecurity,” CIO quotes him as saying.

He called on a variety of sectors to help put safeguards in place.

“Universities, industry and government must find the strength and resolve to invest in embedded cybersecurity with interdisciplinary science and engineering, industrial partnerships for research and education, and service to the nation,” he said.

Read Fu’s full testimony or watch a video of the hearing at the E&C committee websites of the Republican majority or the Democrat minority.

U-M’s Archimedes Center for Medical Device Security offers a Medical Security 101 training for healthcare organizations, device manufacturers, and regulators in Orlando Jan. 15-17, 2017. The center is a multidisciplinary team of medical and computer science experts who focus on research, education and on advising industry leaders on methods for improving medical device security.