The Future of Software Security Testing

Nontraditional devicesWhen mobile devices and native apps hit the mainstream market the software testing world underwent a major shake-up. Companies and testers alike are still working to bring mobile testing up to the same level as decades of desktop testing. But the ecosystem of innovation hasn’t slowed down. In addition to the ever changing threats present in software, web and mobile testing, the quality assurance profession will soon have to branch out into new fields – such as wireless medical devices and vehicle software testing.

In recent years it has been repeatedly proven that vehicle computer systems and wireless medical devices are susceptible to hacking. Though a malicious attack has never been reported, several research groups and security organizations have proven that security vulnerabilities exist that allow people to hack insulin pumps, pacemakers, implantable cardiac defibrillators (ICD) and wireless vehicle communication systems.

  • In 2008 a research team from the University of South Carolina and Rutgers set off tire pressure alerts in a car moving at highway speeds. “The clever bit involved spoofing wireless sensors and transmitting messages rather than bypassing security controls, which were notable by their absence,” The Register reported.
  • In 2008, a paper was published titled Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses. During the study proved that “someone could also turn off or modify therapy settings stored on the ICD. Such a person could render the ICD incapable of responding to dangerous cardiac events. A malicious person could also make the ICD deliver a shock that could induce ventricular fibrillation, a potentially lethal arrhythmia” – using only an antenna, radio hardware and a computer.
  • In 2010, a research group named the Center for Automotive Embedded Systems Security was able to load a malicious program into a car’s computer system. The intrusive program took control of several systems, including the horn and automatic door locks and ultimately shut down the engine. “This demo, which we tested on both cars, required fewer than 200 lines of code added to CARSHARK. … One could also extend this sequence to include any of the other actions we learned how to control: releasing or slamming the brakes, extinguishing the lights, locking the doors, and so on.”
  • In 2011, a security expert named Jerome Radcliffe proved live on stage that he could hack into an insulin pump. “Radcliffe showed how he could use [a] remote transmitter both to administer arbitrary insulin doses, as well as to disable the pump,” reported Information Week.
  • In 2012, several white hat hackers proved that it was possible to hack into pacemakers to send deadly shocks and spread viruses.

How pressing is this issue? From 1993-2009, 2.9 million pacemakers were implanted into patients in the United States. More than 140,000 ICDs are implanted annually in the U.S. As of 2006, more than 200,000 people used insulin pumps, and that number has likely grown. On the car front, “A typical luxury sedan will carry … scores of processors and close to 100 million lines of software code, or roughly 20 times more than used in a F-35 Joint Strike Fighter,” according to Jalopnik.

To complicate matters, the opportunities for attacks are growing at an incredibly fast rate, meaning manufactures are falling even further behind. The introduction of entertainment screens and app integration into vehicles is the latest security frontier. Bruce Snell, Technical Marketing Manager for McAfee and a member of their vehicle security research team, said in an email interview that while he doesn’t want to incite panic, he does believe these new features are will require enhanced security measures – and may not be a good idea at all.

“The first thing that comes to mind is the Facebook and Twitter integration that is showing up in some of the high end vehicles,” he said. “They’re basically connecting the vehicle to the internet, which is in turn opening it up to attack. I am both a car fanatic and a gadget junkie, and I really think adding features like that to a vehicle is a bad idea. Not only from a security perspective, but from a driver distraction perspective.”

In addition to connecting to the internet, the software involved with entertainment systems is extremely similar to the technology used in web and mobile apps, meaning hackers already know which exploits work best. Connecting to apps – either via the cloud or by physically connecting a mobile device – opens the door for malicious actions to extend to the car’s software system.

One issue of concern is fighting ordinary PC viruses that could potentially infect cars when laptops and other devices are plugged into infotainment systems.

“Viruses are something that needs to be addressed directly. How we guard against that transfer to our system is a primary focus of our efforts,” said Toyota spokesman John Hanson.  – Reuters

Ford recently announced the addition of SYNC App Link to one million vehicles, including new models of the Fiesta, Mustang, Expedition, Fusion, F-150 and Super Duty. SYNC App Link allows drivers to link their smartphones to their car, allowing them to control apps on the phone via voice or steering wheel buttons. Luckily, Ford already has an eye on the potential issue of app vulnerabilities allowing hackers access to a vehicle’s systems. It has security experts in place to specifically look into the vulnerabilities of SNYC and is taking steps to ensure entertainment apps are separate from other systems.

“Ford is taking the threat very seriously and investing in security solutions that are built into the product from the outset,” Alan Hall, a Ford spokesman, told Reuters.

“Streaming content is cordoned off from the other systems — Ford has to control the apps and make sure it knows what’s going on,” said Kevin Dallas, the general manager for Microsoft’s Windows Embedded (that is working with Ford on SYNC). Dallas spoke at Gigaom’s Roadmap Conference in November.

Unfortunately, companies who manufacture wireless medical devices and car systems have a way to go when it comes to understanding security software. Though cars and medical devices are not new, the use of wireless communication technology within the devices is fairly new. Device manufactures are not used to addressing the outside threats and vulnerabilities presented by wireless tech – hacking has never been an issue for them, so companies are behind when dealing with potential security threats.

Yoshi Kohno, an Associate Professor of Computer Science and Engineering at the University of Washington, is part of a team researching vehicle computer security. In a recent Marketplace article, Kohno said that car computers don’t present an immediate danger but manufacturers are way behind when it comes to security testing.

“It is true that the car is becoming increasingly pervasively computerized, and wireless networks are being connected to the car, and if we don’t start addressing the computer security risks with the modern automobile today, then the risks would increase in the future,” he said in the article. “The automobile we studied had security moderately equivalent to the security you’d find in a desktop computer in the mid-1990s.”

The general consensus among security experts seems to be that vehicle system security is about 20 years behind the rest of the software security industry. Experts see the accelerated surge of car tech combined with the lag in understanding security risks as the reason vehicle system hacking is potentially so dangerous.

“The manufacturers, like those of any other hardware products, are implementing features and technology just because they can and don’t fully understand the potential risks of doing so,” said Joe Grand, an electrical engineer and independent hardware security expert, in the Reuters article.

In terms of medical devices, the Federal Drug Administration, which is responsible for approving new devices for public use, has admitted that it has not considered intentional attacks during its security evaluations. Because of this, device manufacturers have focused mainly on unintentional security issues (such as unintentional radio signal interference) and have not invested in testing for attack-based security vulnerabilities.

This gap in security is beginning to be recognized. The U.S. Government Accountability Office (GAO) commissioned a report on the FDA’s security scrutiny of wireless medical devices and the Medical Device Innovation, Safety and Security Consortium has taken an active role in the research. For vehicles, Ford isn’t the only company that is already eying enhanced security measures and testing. Several car manufacturers have brought in extra security experts and larger groups – such as McAfee and SAE International – are researching the issue as a whole.

“SAE Vehicle Electrical System Security Committee is working hard to develop specifications which will reduce that risk in the vehicle area,” Jack Pokrazywa, SAE’s manager of ground vehicle standards, told Reuters.

As a result of the GAO report, the FDA has begun addressing intentional threats. The top threats specifically identified are unauthorized access, malware and denial of service attacks.

“Several of the experts we consulted noted that certain intentional information security threats were of greater concern than other threats. For example, approximately half of the nine experts expressed greater concern regarding the threats of unauthorized access or denial-of-service attacks,” according to the report. “According to officials from one manufacturer, information security risks resulting from malicious intent are now being considered, and officials are incorporating enhanced security procedures into the design of their medical devices.”

The FDA is expected to tighten its security requirements going forward – both for pre and post product release reviews. (It’s important to note that the pacemaker and insulin pumps used in the demonstrated hacks had both gone through the FDA approval process and passed the security requirements at the time.)

For vehicles, security testing could be reasonably straight forward. The computer systems in vehicles are not incredibly different than the systems QA experts deal with on a daily basis. The team from the University of South Carolina and Rutgers (who initiated the tire pressure hack) suggested that simply implementing traditional security rules into the software in cars might be enough to deter most hackers. However, McAfee’s research team, and Snell, aren’t so sure that security testing non-traditional devices will be that easy. Ensuring security measures don’t interfere with a vehicle’s intricate and vital communications systems could mean that security testers working on vehicle software might need new training, techniques and specializations. Car manufacturers may even start turning to third party companies that specialize in security testing, Snell said.

“This is one of those areas where theory and reality don’t always align,” Snell said. “Ideally you’d want to approach security testing of vehicles in a very holistic manner to make sure there aren’t security issues when dealing with the interactions of various systems. Unfortunately, these systems do tend to require very different skillsets for programing and analysis. It is very difficult to find people with the skillset to do research across both embedded control systems and the latest IVI systems.”

Snell believes a renewed emphasis needs to be placed on security testing across the entire QA field – not just in terms of non-traditional devices. The novelty of these non-traditional devices needing security testing may be the opportunity the industry needs, he said.

“The reason we have the security issues we have in regular software is because either security is not something the developers are thinking about or they are pressured by deadlines to get the code shipping and don’t have time to do legitimate testing,” Snell said. “We’re really entering into a new era of automotive technology. We have to make sure that we are thinking about security from the ground up, or we’ll end up in the same boat we are now with computers. If we had started thinking about security when the first PCs were being produced, the information security field would be completely different. We have a great opportunity to start thinking about security from the ground up.”

That added emphasis on software security testing as a whole may be helped along even more by medical device security. When it comes to medical devices, security testing and fixing vulnerabilities is sure to require a big shift on the part of QA. Many of the traditional ways of securing software could potentially adversely affect an implanted device’s functionality.

“Incorporating encryption into the medical device could mitigate the information security risk of unauthorized changes to the settings of the device. However, experts we spoke with said adding encryption to a device could drain its battery more quickly, making it necessary to change the battery more frequently,” said the GAO report.

However, it’s unclear if this will be an issue as devices become more advanced.

“In contrast, two information security researchers we spoke with said that, in their opinion, technology has advanced such that encryption can be added to a medical device without using as much energy as before. However, manufacturers have chosen not to take advantage of this newer technology, in part, because of the potential for increased costs in producing the device, according to other experts,” the report continued.

The nature of implanted devices (especially those responsible for keeping people alive) presents another unique challenge. Software updates and patches are hard to disseminate to implanted devices and manufacturers cannot risk new versions being buggy.

“According to FDA officials, software in implanted medical devices, such as pacemakers, typically is not frequently updated; rather, the software is updated on an as-needed basis. As with any device that uses software, such updates or other modifications could introduce unanticipated software problems that could adversely affect the functionality of a device, particularly if the software had not been properly tested prior to being used,” said the GAO report.

An article from Healthcare Info Security raised the same issue.

“Because medical devices use a wide variety of operating systems, implementing a patch to take care of a virus threat can prove challenging, says Steve Abrahamson, program manager of product security at GE Healthcare, which manufactures devices. ‘That’s why we want to test a patch before telling customers to apply it to a device’ to make sure it doesn’t interfere with the device’s functionality, he says.”

Because of these challenges and potential issues, many groups are looking into network security, rather than individual device security. From Information Week:

Recently, researchers from Purdue and Princeton Universities announced that they had built a prototype firewall known as MedMon to protect wireless medical devices from outside interference. MedMon monitors communications to and from implantable or wearable medical devices. If the firewall detects unusual activity, it can alert the user or send out signals to block the cyber-attack.

Niraj Jha, part of the team that developed MedMon, told UPI that although the risk of medical device hacking is low, security measures are needed before the kinds of attacks demonstrated by researchers occur in the real world.

Though security testing for vehicles and medical devices will present new challenges, testers won’t be forging a completely new path. Testers interested in these new fields can use many of their white hat hacking tricks to ferret out issues, then turn to other industries and organizations – such as the aviation industry, DARPA or NASA – to see how they address security vulnerabilities while working with tight restrictions.

No matter what path security testers take when dealing with these new risks and non-traditional devices, though, it’s clear that security needs to be addressed sooner rather than later. Unlike mobile phones and websites, a hack targeting these devices could literally mean life or death one day.

Essential Guide to Mobile App Testing

Leave a Reply

Your email address will not be published. Required fields are marked *