Embedded Software testing expert and author, Jon Hagar speaks with Philip Lew, CEO of XBOSoft.

JonHagar Jon Hagar,  Software Test Attacks to Break Mobile and Embedded Devices

Software has been embedded in devices for a long time. Even though people may not realize it is there, software is controlling large machines such as airplanes and is built into every day devices such as home electronics and personal medical devices.  With many of these devices there are safety and health factors involved, so there is a reduced tolerance for software errors. Today, embedded software has merged into the mobile world as mobile phones are basically computers running lots of software.

Last week, Phil took time out to interview Jon Hagar, the owner of Grand Software Testing, a company specializing in software test consulting and training for mobile and embedded systems. Jon has been working with embedded software testing for more than 30 years, primarily in the aerospace industry as well as the automotive and medical industries. He has a new book coming out in September on embedded software testing (title: Software Test Attacks to Break Mobile and Embedded Devices, CRC press):

Phil: “Can you explain what is different about embedded software?”

Jon: ”A lot of times, embedded software doesn’t have the standard GUI you see in normal IT/PC software world. Also embedded software is often controlling unique and specialized hardware. People often don’t know they are using a device that runs with software. If you ask people if there is software in their car, most people have no clue it’s there or its scale of presence. In reality there are 20 to 40 processors in some modern cars running various kinds of software. So, people are unaware they are using software because it is “embedded” in specialized hardware and there is no (or minimal)  user interface.  However those people are likely looking at and using an embedded software system everyday.”

Phil: ”Can you give an example of an interesting test scenario you have encountered regarding testing embedded software?”

Jon: “Batteries- Everyone wishes their battery would last longer right? The typical IT programmer does not think about batteries or power consumption, nor do they typically worry about network signal or Wi-Fi strength. Programmers assume consistent power and signal/bandwidth is available.  This may mean logic exists which “drains” batteries or is dependent on strong connects.  We as testers many need to run test cases checking battery usage or signal impact, which can mean we may need specialized test equipment to do this, e.g. voltmeter and signal monitors. Because embedded is converging with mobile, there are many interesting new mobile embedded test cases we need to think about setting up and running.”

Phil: “Jon, you’ve been working on your book on embedded software testing and it’s about to come out. You’ve mentioned the convergence of the classic embedded world and the typical mobile software GUI. Is this what prompted you to write your book?”

Jon: “Yes, I liken the rapidly expanding world of embedded and mobile “apps” to being back in the “Wild West”of the “.dot com” days- i.e. people creating lots of software and not understanding it all. I see many small app companies not doing much testing, letting users debug devices. That may work sometimes, but can fail too if users posts bad reviews on social media and delete your app after just a few usages, which current app store data suggests. This observance prompted me to do a book on embedded and mobile.”

The book follows the “How to break software” tradition started by Dr. James Whittaker.

Phil: “How is this book different from all the other software testing books?“

Jon: “There are many books available on software testing. However, my book targets tests concepts for the mobile and embedded software space.  The book introduces 32 + software attacks targeting common bugs seen over and over in the mobile / embedded space. The book identifies which attacks are suited for mobile software apps, embedded devices, and are common to both. The book also provides a road map for how to set up mobile-embedded test environments. Whether a smartphone mobile app, or mobile medical device app, there are similar things to test for, which are different from traditional IT. However in the case of medical devices a problem could be critical to a persons’ life.  So testing in mobile and embedded software, context remains important to consider.”

Phil: “With similar problems in the mobile medical device world and the smartphone world, this brings up the issue of privacy and security.”

Jon: “You’re right. A device monitoring diabetes insulin levels raises security & privacy concerns, in terms of the data on the device. People generally don’t want their medical information broadcasted to anyone. Some such devices are monitoring vital signs and sending data out to “network”. Depending on the level of security and who the data is being sent to, this could be illegal from a HIPPA point of view. Medical device hacking has been done in the lab and we should see a lot of interest in mobile medical testing with respect to privacy and security. For example, this can be scary because pacemakers can and have been hacked. If you look at modern hospitals, many are using devices with embedded software.  These devices are plugged into a network and connected to other systems such as a billing system. Some surgeons and medical professionals are currently using equipment with embedded software and they don’t even know it. Mobile and embedded testers must now think about security test attacks of such devices.”

Phil: ”It seems like the penetration of embedded devices and hence embedded software is endless. You mentioned the automobile industry. If you hacked into an advanced automobile computer system, what could be done or damaged?”

(Jon)” Well with keyless entry systems, a criminal can walk up and unlock your car with a special device. Recently this has been happening, and we (the professionals in industry) are not sure how this is being done (yet). Then there is hacking of factory systems like when someone in Texas recently hacked a PLC in a sewer plant. PLC (programmable logic controller) devices control our factories, water, power, and sewer systems. These types of specialized embedded computer systems may need better security testing.”

Phil: “What does that mean for mobile and embedded software testing?”

Jon: “Many programmers and testers of embedded devices as well as mobile apps need to think classical software testing and specific attacks to break the software. It is important to remember that testing embedded and mobile devices add a number of new test scenarios that we must consider.”

Phil: “ Well thanks a lot for your time Jon. We look forward to your upcoming book entitled “Software Test Attacks to Break Mobile and Embedded Devices” due to be published in late September 2013.(9/26/13 Chapman & Hall/CRC Innovations in Software Engineering and Software Development Series by Chapman and Hall/CRC).

Jon Hagar can be contacted at embedded@ecentral.com and web site: http://breakingembeddedsoftware.wordpress.com/