In a recent report, web application security researcher Sam Curry revealed serious vulnerabilities in the API (application programming interfaces) endpoints of cars from 15+ major manufacturers. These vulnerabilities allow hackers to remotely access vehicle telematics systems, activate horns and lights, track, lock/unlock, start/stop vehicles, and even make payments.
Some of the affected manufacturers include Kia, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, Genesis, BMW, Rolls Royce, Ferrari, Spireon, Ford, Reviver, Porsche, Toyota, Jaguar, Land Rover, and SiriusXM. The world of growing technology is dynamic. While some people develop answers, others attempt to use the weakness in the developed solution to develop a new problem.
Automobile thieves appear to be working tirelessly to keep one step ahead of the innovations made to stop them. Automobile robbers advanced to employing computer codes to hack a vehicle from the days of shattering car windows to gain entry or hotwiring a vehicle to take it.
The Impact Of API Vulnerabilities
These API vulnerabilities have the potential to cause significant problems for both individual car owners and the automotive industry as a whole. For car owners, the prospect of having their vehicle remotely accessed, started, or stopped without their consent is understandably concerning. In addition, the ability to track a vehicle’s movements or make payments through the API could lead to financial consequences for the owner.
The exploitation of API vulnerabilities could also lead to more serious issues, such as a loss of control over the vehicle while it is in motion. In extreme cases, this could result in accidents and injuries. The ability to remotely access vehicle systems also presents the potential for hackers to disrupt traffic patterns or cause chaos on the roads.
For the automotive industry, the exploitation of API vulnerabilities could lead to a loss of consumer trust and a decline in sales. In today’s world, where technology plays such a significant role in our daily lives, people rely on the security of their devices to protect their personal information and prevent unauthorized access. If car manufacturers are unable to protect against API vulnerabilities adequately, consumers may be hesitant to purchase their products.
The Need For In-Depth Defense With Cybersecurity Strategy
Experts in mobile app and API shielding security, such as Approov, have offered their perspectives on the widespread problem. Ted Miracco, CEO of Approov, emphasizes the importance of a defense in depth cybersecurity strategy for the automotive industry. He notes that many recent breaches have been enabled by a single point of failure, such as exploiting user credentials or API keys to unlock cars. Zero-trust systems, which verify the user, the device, and the authenticity of an application, can provide a layered approach to security that can prevent these types of attacks.
In the short term, Miracco expects a bumpy road ahead for the automotive sector when it comes to cybersecurity. He points out that secrets, including API keys, are often hidden but within reach in automotive applications on both iOS and Android. Legacy approaches like code obfuscation have proven insufficient to thwart attacks, and additional security measures are needed to protect vehicles. More people now adopt mobile devices to unlock their vehicles, Miracco predicts an increase in theft that will shock consumers and have a ripple effect on insurance companies and law enforcement.
Protecting Against Vulnerabilities with Authentic App Access
Skip Hovsmith, CTO of Approov, adds that these breaches occurred by intelligently exploiting vulnerabilities in the API implementations. However, even perfect API implementations can be abused. To protect against this, manufacturers should focus on allowing only authentic apps to make API calls. If an authentic app only makes well-behaved API calling sequences, then any API vulnerabilities present simply can’t be exploited. This protection can be implemented in vehicles already on the road or in production.
The Importance of Cybersecurity in the Auto Industry
Overall, it’s clear that the auto industry needs to prioritize cybersecurity in order to protect against these types of vulnerabilities and potential attacks. Implementing zero-trust systems and focusing on authentic app access to APIs can go a long way in preventing these kinds of breaches. Without proper security measures in place, car manufacturers risk losing consumer trust and facing financial consequences. It’s time for the automotive industry to take action and protect against the potential impacts of API vulnerabilities.
In today’s connected world, it’s more important than ever for the auto industry to prioritize cybersecurity. The proliferation of connected vehicles and the increasing reliance on technology for functions such as navigation, entertainment, and communication make them prime targets for hackers. By ignoring the need for strong cybersecurity measures, car manufacturers risk not only losing consumer trust, but also facing serious financial consequences.
One way to protect against API vulnerabilities is to implement zero-trust systems that verify the user, the device, and the authenticity of an application. This layered approach to security can prevent attacks enabled by single points of failure, such as the exploitation of user credentials or API keys.
Another way to protect against API vulnerabilities is to focus on allowing only authentic apps to make API calls. By limiting access to well-behaved API calling sequences, any vulnerabilities present cannot be exploited. This protection can be implemented in vehicles already on the road or in production.
Preventing Future Vulnerabilities: The Importance of Regular Security Updates
In addition to implementing zero-trust systems and focusing on authentic app access, it’s also important for car manufacturers to regularly update the security of their vehicles. This includes releasing patches for any identified vulnerabilities and regularly updating the software and systems used in their vehicles.
By staying up-to-date with the latest security measures, car manufacturers can help prevent future vulnerabilities and protect against potential attacks. It’s important for car owners to also stay informed about security updates for their vehicles and ensure that they are installed as soon as possible.
The Role Of Government Regulation In Protecting Against Vulnerabilities
In the face of the widespread problem of API vulnerabilities in the auto industry, some have called for increased government regulation to ensure the security of connected vehicles. While this is a complex issue, it’s clear that the current patchwork of voluntary guidelines and standards is insufficient to protect against these vulnerabilities.
In the absence of strong government regulation, it falls on car manufacturers to take the necessary steps to protect against API vulnerabilities and ensure the security of their vehicles. This includes implementing zero-trust systems and focusing on authentic app access, as well as regularly updating the security of their vehicles.
Conclusion
API vulnerabilities in the auto industry present a vital problem that needs to be addressed by both car manufacturers and government regulators. By ignoring the need for strong cybersecurity measures, car manufacturers risk losing consumer trust and facing financial consequences.
To protect against these vulnerabilities, car manufacturers should implement zero-trust systems and focus on authentic app access, as well as regularly update the security of their vehicles. It’s also important for government regulators to play a role in ensuring the security of connected vehicles. Only by taking these steps can the auto industry protect against the potential impacts of API vulnerabilities.
These automotive manufacturers obviously aren’t testing their APIs. The question as to why is simple: there aren’t great tools out there and it mostly has to be done manually. As the researcher showed, however, just a little bit of manual effort pays off.
Flaws that live in the OWASP Top 10 are easily found and exploited. After the initial foray of testing for the OWASP API Security Top Ten, then some Business Logic testing the investigation revealed additional flaws. But in each of the cases here the researcher used simple tools and techniques to find and create points of compromise on these flaws.
The researcher suggests car owners should take responsibility by limiting their input of personally identifiable information (PII), using the highest privacy settings on telematics and implementing two-factor authentication (2FA) but it shouldn’t come to this. Automotive manufacturers have to assume responsibility and securely configure and regularly test their APIs by looking from the outside in as an attacker would.
API Security is the number one attack vector for a reason. There is very little that is done to test for these types of problems which is why researchers are able to exploit simple flaws and blow the whistle on enterprises that have billions of dollars at their disposal and build solutions the general public has learned to trust.
“Cars are now full of computers. Some people say they are computers who just happen to travel a lot. <grin> Security researchers have been finding vulnerabilities in cars and related car systems since cars started having computers in them over a decade ago. Every car manufacturer and related vendor now spends a portion of their vehicle development and support budget trying to locate and eradicate bugs. APIs have long been neglected by defenders and this researcher’s work shows it.”
One car vendor’s security team leader, who used to be one of the world’s most well known car hackers, said (I’m paraphrasing), “We will never get rid of all vulnerabilities in a car. But I think I’ve done my job well if I can keep the vulnerabilities limited to non-critical systems, like entertainment systems.” If we can keep attackers from successfully attacking critical systems…things that can actually physically harm people, then car defenders will have done a fairly good job. What this latest research shows is that the defenders still have a long way to go.”
“Like many other industries, the automotive industry has incorporated heavy usage of APIs across many of its public services. We also encountered similar issues with some of these car manufacturers and others. We can confirm these are not isolated cases and do not cover the entire attack surface and existing vulnerabilities. They do, however, show the depth and magnitude of the API adaptation issues.
Rapid API adoption allows car manufacturers to publish more functionality to be used by car owners, dealerships, and others and is meant to provide a better user experience. However, human nature and history teach us that, unfortunately, usability will always be prioritized over security and privacy – and the results are very well shown by the report. We congratulate Sam Curry for publishing this wonderful research and highlighting the global API security issue.”
“These breaches all occurred by intelligently exploiting vulnerabilities in the API implementations, but even perfect API implementations can be abused. These manufacturers need to focus instead on allowing only authentic apps to make API calls. If an authentic app only makes well-behaved API calling sequences, then any API vulnerabilities present simply can’t be exploited. This protection can be overlaid into vehicles now on the road or in production.”
“It’s well past time for the automotive industry to embrace a defense in depth cybersecurity strategy. Many recent breaches have been enabled by a single point of failure, such as exploiting user credentials or API keys to unlock cars. Zero-trust systems can verify the user, the device, and also – and this one’s important — the authenticity of an application that’s seeking permission to gain entry, start an engine, or even make a payment. It provides a layered approach to security that can prevent these kinds of attacks.”
“In the short term, we see a bumpy road ahead for the automotive sector where cybersecurity is concerned. We are consistently finding secrets (including API Keys) hidden but within reach in automotive applications on both iOS and Android. Legacy approaches like code obfuscation have proven insufficient to thwart attack, and additional security is immediately needed to secure vehicles. As more companies use mobile devices to unlock vehicles, look for an uptick in theft that shocks consumers and reverberates across insurance companies and law enforcement.”