Making Medical Devices Secure – Tamil Mathi – ASW #373
Medical devices are a special segment of the IoT world where availability and patient safety are paramount. Tamil Mathi explains why many devices need to fail open -- the opposite of what traditional appsec approaches might initially think -- and what makes threat modeling these devices interesting and unique. He also covers how to get started in this space, from where to learn hardware hacking basics to reviewing firmware and moving up the stack to the application layer.
Segment Resources:
Tamil Mathi is a Cybersecurity Professional with more than seven years of experience securing high impact, safety critical systems, including healthcare products used across the world. He specializes in IoT, web, and cloud security, with deep expertise in threat modeling, secure design reviews, penetration testing, red teaming, and incident detection and response.
An active vulnerability researcher, Tamil has been credited a CVE( CVE-2025-34282) because of his finding in IoT system. He is passionate about building resilient security architectures that protect mission critical healthcare and connected systems, and he regularly shares practical insights and research with the broader security community.
Security Weekly listeners save $100 on their RSAC 2026 All Access Pass! RSAC 2026 Conference will take place March 23rd to March 26th in San Francisco. To register using our discount code, please visit securityweekly.com/rsac26 and use the code 56U5SECWEEKLY! We hope to see you there!
Mike Shema
- Utah’s new medical chatbot can be easily hacked to give dangerous medical a – Mindgard
- Zero Day Clock
The best part about this is that the calls to action aren't about accelerating competing clocks in the sense of detect and fix vs. detect and exploit. It's the call for avoiding security flaws in the first place with better designs, better CI/CD tooling, and getting away from a feedback loop based purely on vuln counts.
- decomplexification continued | daniel.haxx.se
The end of this post captures a recurring theme of mine, "We believe less complex code is generally good for security and code readability, but it is probably still too early for us to be able to actually measure any particular positive outcome of this work…"
It's quite fair to note that there aren't any strong metrics to indicate the benefit to security from this kind of refactoring. But I would still advocate for this kind of work when it makes code more readable and updates old patterns to newer abstractions and more test cases. This feels like the kind of work that makes a project more maintainable over time and more amenable to incorporating new features, whether security or otherwise.
And, admittedly, I still believe that code is written for humans to understand and reason about in terms of its architecture and design.
- How AI Agents Automate CVE Vulnerability Research | Praetorian
- Issue #8 (Feb’26): Page-based buffer overflow
A new issue! Finally!
At 1 page per entry, it's easy to jump around to find something that appeals. There are several LLM-related entries near the front, including some related to cybersecurity, but other entries get into a brief discussion of complexity, repairing a Dreamcast, hooking Android with Frida, inverted authentication logic, and more!
