I'd imagine the correct thing to do is use the FDA's "MedWatch Online Voluntary Reporting Form".
Use the MedWatch form to report adverse events that you observe or suspect for human medical products, including serious drug side effects, product use errors, product quality problems, and therapeutic failures for:... Medical devices (including in vitro diagnostic products)
That strikes me as a system that was set up with the best intentions, but which in practice acts as a barrier to, rather than facilitator of, change. The only way I can see it compelling a manufacturer to change is if someone is killed by this exploit and their family uses the existence of a report of that vulnerability to push for massive willful negligence damages in a lawsuit.
That strikes me as a system that was set up with the best intentions, but which in practice acts as a barrier to, rather than facilitator of, change
Hu?
I can see an argument that is is ineffective (maybe it just drops into the FDA bureaucracy), but I'm not sure how you can argue it is actually a barrier?
The FDA does actually have some pretty significant regulatory authority over medical devices. IANAL, but it appears this may be one of the limited cases where the FDA may actually be able to force a recall[1] as opposed to just requesting it. I suspect (and hope) the "recall" would actually be limited to a software update in this case. Even if they can't force it, a FDA-requested recall is a pretty significant thing.
Use the MedWatch form to report adverse events that you observe or suspect for human medical products, including serious drug side effects, product use errors, product quality problems, and therapeutic failures for:... Medical devices (including in vitro diagnostic products)
[1] https://www.accessdata.fda.gov/scripts/medwatch/