There were news reports last week about a man (not named here) that was detained and then banned from flying on United Airlines because he issued some tweets about how the onboard Wi-Fi entertainment system might be used to access flight systems thus, compromising flights. The news reports included interviews with the man, pilots, and other “experts.” The man said there is “risk” and even posted some images supposedly of the risk on Twitter. The experts said there “is minimal risk.”
I do not have in depth personal knowledge of these exact systems. I have not been on a security test team directly trying to hack these systems, but I hope the manufacturers and the airlines DO have such teams in place for their embedded/IoT system. Other large companies have security test teams in place for their systems. Companies such as Target and Home Depot, likely now wish they had had more security testing in place before they were hacked. There are news stories and calls to action on security and testing by the politicians almost every day. There is even a new US government office in charge of such things just announced.
I can say that in some of my research for mobile/embedded/IoT error taxonomy that I have seen unexpected interconnects between systems within planes, which gives one pause not just from a testing-integration security perspective, but a development perspective also. The chance there can be “sneak paths” is real in complex electronic software-systems (Google on sneak circuit analysis for a good V&V activity to consider doing). In my book I point out various attacks which teams should apply to their systems. Now testing cannot be totally complete and assure 0% risk in the security world, but it seems like we could be doing more, and not waiting until “bad” things happen or our systems are on the news.
As to the gentleman who got himself banned from United, while he may have thought he was doing a public service, in my publications and classes when I discuss security testing, I pretty much always tell people the activities and attack patterns I define should be applied by teams who have been chartered to do security work. Making statements, which seem like a threat or actual attacking a system that one is not authorized to do, are at least unethical and in many cases illegal. DO NOT DO THIS! In the first situation where we are developing, running and maintaining modern computer systems, the stakeholders including testers have responsibilities to assure the qualities of what we create. In the second case as good citizens of the world, we also have obligations not to do things that are unethical or illegal. Please keep these things in mind as you build your testing skills. Security testing is one of the hottest areas to develop. Get into a sand box and start working security testing skills there and not in the public domain. Go for better security testing on the job.
Security testing: Plane trains and cars
Reply
breakingembeddedsoftware 