In a recent uTest Software Testing Blog piece, The Future of Software Security Testing, I took a look at non-traditional devices that will soon need security testing. But mobile apps are already starting to expand to some of these non-traditional devices – such as appliances and vehicles. Here’s a mobile-centric except from The Future of Software Security Testing:
The introduction of entertainment screens and app integration into vehicles is the latest security frontier. Bruce Snell, Technical Marketing Manager for McAfee and a member of their vehicle security research team, said in an email interview that while he doesn’t want to incite panic, he does believe these new features are will require enhanced security measures – and may not be a good idea at all.
“The first thing that comes to mind is the Facebook and Twitter integration that is showing up in some of the high end vehicles,” he said. “They’re basically connecting the vehicle to the internet, which is in turn opening it up to attack. I am both a car fanatic and a gadget junkie, and I really think adding features like that to a vehicle is a bad idea. Not only from a security perspective, but from a driver distraction perspective.”
In addition to connecting to the internet, the software involved with entertainment systems is extremely similar to the technology used in web and mobile apps, meaning hackers already know which exploits work best. Connecting to apps – either via the cloud or by physically connecting a mobile device – opens the door for malicious actions to extend to the car’s software system.
One issue of concern is fighting ordinary PC viruses that could potentially infect cars when laptops and other devices are plugged into infotainment systems.
“Viruses are something that needs to be addressed directly. How we guard against that transfer to our system is a primary focus of our efforts,” said Toyota spokesman John Hanson. – Reuters
Ford recently announced the addition of SYNC App Link to one million vehicles, including new models of the Fiesta, Mustang, Expedition, Fusion, F-150 and Super Duty. SYNC App Link allows drivers to link their smartphones to their car, allowing them to control apps on the phone via voice or steering wheel buttons. Luckily, Ford already has an eye on the potential issue of app vulnerabilities allowing hackers access to a vehicle’s systems. It has security experts in place to specifically look into the vulnerabilities of SNYC and is taking steps to ensure entertainment apps are separate from other systems.
“Ford is taking the threat very seriously and investing in security solutions that are built into the product from the outset,” Alan Hall, a Ford spokesman, told Reuters.
“Streaming content is cordoned off from the other systems — Ford has to control the apps and make sure it knows what’s going on,” said Kevin Dallas, the general manager for Microsoft’s Windows Embedded (that is working with Ford on SYNC). Dallas spoke at Gigaom’s Roadmap Conference in November.
Unfortunately, companies who manufacture car systems have a way to go when it comes to understanding security software. Though cars and medical devices are not new, the use of wireless communication technology within the devices is fairly new. Device manufactures are not used to addressing the outside threats and vulnerabilities presented by wireless tech – hacking has never been an issue for them, so companies are behind when dealing with potential security threats.
Yoshi Kohno, an Associate Professor of Computer Science and Engineering at the University of Washington, is part of a team researching vehicle computer security. In a recent Marketplace article, Kohno said that car computers don’t present an immediate danger but manufacturers are way behind when it comes to security testing.
“It is true that the car is becoming increasingly pervasively computerized, and wireless networks are being connected to the car, and if we don’t start addressing the computer security risks with the modern automobile today, then the risks would increase in the future,” he said in the article. “The automobile we studied had security moderately equivalent to the security you’d find in a desktop computer in the mid-1990s.”
The general consensus among security experts seems to be that vehicle system security is about 20 years behind the rest of the software security industry. Experts see the accelerated surge of car tech combined with the lag in understanding security risks as the reason vehicle system hacking is potentially so dangerous.
“The manufacturers, like those of any other hardware products, are implementing features and technology just because they can and don’t fully understand the potential risks of doing so,” said Joe Grand, an electrical engineer and independent hardware security expert, in the Reuters article.
For more on this topic, and to learn what’s already being done and where testing needs to go next, read the full post on the uTest Software Testing Blog >>>