How the IoT Will Change Security Testing

Security is an essential part of the human experience

 

When you’re talking about devices we interact with every day, have in our homes, or on or in our bodies, it’s important to think of security as essential to user experience and, really, to human experience.

 

” If I knew, for example, that Facebook was sharing a lot of data I wouldn’t want shared, it could impact how I view the app.”

 

Diwakar Menon, CEO of Last Mile Consultants says that user experience isn’t all elements of security, but personal privacy and personal security does come under the UX umbrella.

So far, most data transfers have been between humans, services, and businesses but, as Sean Hargrave of The Guardian writes, when machines start to collect data, it becomes a regulatory minefield, and what data you are sharing becomes part of the security and privacy questions we must be asking.

Similarly, while security is part of the user experience, human error is part of the security experience.

You have to test both for “the engineering failures and the human failures. It’s the perfect example of whatever can go wrong, will.” Bruce de Grazia, program chair of the cyber security management and policy department at University of Maryland, University College said that testers “need to think of more than just the technical failures. They need to think about the people failures — "what could somebody do that could make this vulnerable?”

Perhaps healthcare is where there needs to be even faster innovation in Internet of Things security testing to keep up with the rapid innovation of the marketplace. Thurai points out a possible solution is to have all the connected medical devices in a hospital connect to only a specific network that’s been secured, authorized and authenticated

“Also, before it can send any information anywhere, both parties need to identify, authenticate and authorize each other,” he said. “While the worry of someone connecting to your device and manipulating it to harm a patient is an issue, allowing unknown devices to connect to your network to feed the data or pollute your data collections should be considered as an issue too,” Thurai continued.

Of course, healthcare, like all emerging IoT focuses, will need more standards and protocols that we will have to follow.

 

Security testing the Internet of Flying Things 

 

Perhaps one of the most challenging “things” to test is the hottest: drones, which makes looking at how Altitude Angel has solved much of safety testing them even more compelling.

What Richard Parker, founder of Altitude Angel, has trademarked as the Internet of Flying Things (IoFT) involves things or devices that are permanently in motion, which have a very different set of requirements and capabilities than in the fixed world. “I have to deal that the drone gets turned off, driven 300 miles and then switched on,” he explained.

Add to this the complications of connecting through a combination of local WiFi, short-range radio and, increasingly more popular, cellular networks with potentially unlimited range. And then there’s not only the things in the sky but on the ground — other drones, trains, Screen-Shot-2018-03-28-at-2-15-23-PM.pngreservoirs, power stations — that are dangerous to the drones, infringing on their escape vectors.

All IoT testing is about risk management, but perhaps even more so in the IoFT, which is why Altitude Aircraft wants to be put directly on the drones as a sort of air traffic control. He says Altitude Angel is completely tested via their in-house flightpath simulator.

For Parker, it isn’t just about testing if the Altitude Angel software works with certain devices, you have to test to make sure they are providing information that’s important to those things in the air — where people are, which mobile providers, the location of hardware that doesn’t move that the drone needs to find like charging and fueling stations, and how to navigate around points of interest.

They use simulation and machine learning as much as possible because “We don’t work for the FAA [Federal Aviation Administration], so we can’t plan for other vehicles,” and “from our perspective, Altitude Angel is 100 percent focused on safety.” In this context, safety is first and foremost defined as collision avoidance.

But testing IoT in a more traditional industry like air and space comes with its own challenges. “In the area of aviation, the industry is very old and very traditional. The view is that the drone industry needs to fit in, to co-exist. It ends up holding us to very high, very different safety standards as an aircraft company.”

Altitude Angel typically tests for three situations that could apply in most Internet of Things testing:

 

  • Normal scenario
  • Abnormal scenario (Example: Introducing some sort of GPS failure, acting erratically, or offering no readings at all.)
  • Failure scenario (Example: The drone loses complete contact or is somehow damaged by another drone.)

 

The Internet of Flying Things isn’t just about the things up there, but the people down here. On average it takes ten to 12 minutes for an ambulance to respond to a heart attack, while a drone could cut the time in half to get a defibrillator, staving off significant brain damage. It’s for this and many reasons that all of Altitude Angel’s safety features are necessarily free.

 

” We want it to be open, transparent, and safety should be free.”

 

The breadth of the Internet of Things means it’s essential that organizations are more open, forthcoming and sharing.

 

In IoT testing for privacy is really testing for security

 

With the Internet of Things, we will need a whole new term for what will become the too minuscule buzzword of “big data.” It’s for this that now more than ever we need to separate the identity of the person being measured by a sensor from the data they generate.

John Taysom, a fellow at the University of Cambridge and co-founder of privacy company Privitar, said in an interview with The Guardian that he believes this data-identity disassociation is key because companies and governments can take advantage of the data without taking advantage of the person or any risk to privacy. He fears, though, that organizations might rush in too soon before realizing the potential for compromising an individual’s private details. “There’s obviously a lot of concern about privacy but I think we’re in one of those situations like smoking or sugary foods”, he said in the article.

“The gain to getting all that data is very instant but the problems seem a long way off, and so you end up not being firm enough with guidelines until further down the line and governments have to step in to set rules.

You shouldn’t forget that ultimately the machines taking the readings and transmitting them are owned by companies which want to use that information. Although we’re talking about sensors, we’re really talking about the people and companies that own them.”

 

” Tech companies must be responsible for questioning if too much information is being transferred or if it’s private in nature.”

 

Most of IoT testers will experience this similar moment: “The data you know it collects seems inoffensive, but then you step back and you see the huge amount of data you have, it’s really hard to see that data and the guy that has the device that has no idea the complexity of the device,” Trifa said. “Someone stealing my password on Facebook sucks, but this is something where people could have accidents and worse. This is the emotional and physical hurting someone can do with the Internet of Things.”

And with this, the importance of IoT security and privacy testing continues to grow.

 

Start security testing today

SoapUI Pro, helps you find and address API security vulnerabilities before you go to production by providing several built-in security scans that you can easily add to your API tests. Our unique Security Scan Wizard walks you through the steps of customizing the test run by selecting the scans you want to use and the test steps you want to run them against.

Learn more about the different security testing features in ReadyAPI.

 

Start your free trial of ReadyAPI today

 

Learn more:

State of API Security

Security in the Age of IoT

Threat Modeling Example

Security Vulnerability Testing

Automation & IoT Testing