Skip to content

Automotive must address API security, ASAP

Adam Fisher outlines the risks of automotive cyber crime, as well as some potential solutions

There is no question that connectivity has revolutionised the automotive industry. However, while manufacturers race to give drivers innovation, convenience, and enhanced features through technology, sometimes system security can fall by the wayside.  For instance, threat researcher Sam Curry recently documented how application programming interface  (API) vulnerabilities in many cars’ online systems could allow cyber criminals to carry out a number of unauthorised actions. He posted: “If an attacker were able to find vulnerabilities in the API endpoints that vehicle telematics systems used, they could honk the horn, flash the lights, remotely track, lock/unlock, and start/stop vehicles, completely remotely.”

Because APIs are the building blocks of modern connectivity, they create an ecosystem that enables different systems to talk to each other. In fact, every new feature rolled out in the latest cars will be fuelled by APIs; yet in turn, it has also created an entirely new and evolving digital attack surface—of which every automotive manufacturer must be aware.

Protecting personal identifiable information (PII)

As innovation ensues and more applications become introduced with increasing sophistication, customer PII is put at higher risk. This is for the simple reason that attackers will always gravitate towards stealing this kind of information that can be sold on Dark Web marketplaces or used in identity fraud,  for account takeover purposes or simply to wreak havoc.

connected car
API vulnerabilities in many cars’ online systems could allow cyber criminals to carry out unauthorised actions

Curry’s research laid bare the realities of API vulnerabilities when it comes to connected cars. He showed how APIs exposed access to hundreds of vital internal applications (Mercedes-Benz), employee applications which contained internal dealer portals and sales documents (BMW, Rolls-Royce), and full zero-interaction account takeover (ATO) for any customer (Ferrari). Yet the worst offender was Spireon, whose system vulnerabilities could allow cyber criminals to fully take over any fleet and secure full administrative access to all Spireon products. When considering that Spireon’s technology is used by vital workers, including  law enforcement and ambulance drivers, the prospect of cyber criminals hijacking these systems and controlling vehicles could have catastrophic effects.

API security is the automaker’s responsibility

Developers employed by automakers must, at the very least, be educated on API security threats. This starts with the OWASP API Security Top 10 list. Car manufacturers must also identify all APIs within their environments and have visibility into the API traffic that transports data back and forth through their applications. In addition, runtime visibility into API behaviours is essential to identify vulnerabilities and threats.

To go a step further, it’s essential automakers implement proper oversight and governance for APIs they are accountable for. This is especially important for manufacturers that share consumer data to third parties.

Unfortunately, at present, cyber-specific compliance regulation is sorely behind the curve in the automotive industry. However, with API security usage exploding at such a pace, getting a handle on it now is an imperative for carmakers. Just as one might expect the brakes to function properly upon a cars’ arrival, so too should a vehicle’s cyber security keep the driver safe.


The opinions expressed here are those of the author and do not necessarily reflect the positions of Automotive World Ltd.

Adam Fisher is Director of Sales Engineering at Salt Security

The Automotive World Comment column is open to automotive industry decision makers and influencers. If you would like to contribute a Comment article, please contact editorial@automotiveworld.com

Welcome back , to continue browsing the site, please click here