Connected car systems rely on thousands of Application Programming Interfaces (APIs) to glue them together, connecting smartphone apps to third-party applications for diagnostic, maintenance scheduling and updates from the cloud, to autonomous driving. But these APIs have created a massive attack surface, with threat actors able to look for and exploit APIs in a number of ways, and this is catching automotive manufacturers unawares.
Earlier this year, we heard how 16 car manufacturers, including BMW, Mercedes and Toyota, had their APIs compromised by a security researcher. At least 20 API vulnerabilities were discovered, some of which could potentially have allowed an attacker to compromise employee information, take over customer accounts, access applications used by remote workers and dealerships, locate vehicle locations and send control commands or malicious system updates.
The problem appears to come down to the fact that many of these car manufacturers share the same software in order to shorten the time to market
The Upstream 2023 Global Automotive Cybersecurity Report further reports that researchers were able to send an API request, via a telematics service provider, using the VIN on a unique ID field to remotely start, stop, lock, and unlock vehicles. The hack would have allowed them to send commands to an estimated 15.5 million vehicles.
As with many other facets of car design, the problem appears to come down to the fact that many of these car manufacturers share the same software in order to shorten the time to market. Eager to offer the latest services, many don’t adequately test their APIs during development or post-production, and fail to monitor them once live, enabling attackers to then discover and abuse the API undetected.
Arguably such attacks could cripple the sector. Aside from the loss of data, resulting lawsuits and loss of reputation, there are the compliance infringements and disruption to supply chains as software flaws can take weeks to address. They may even pose a threat to life if in-car control systems are compromised. And the risk is not just theoretical. The same report found automotive API attacks have increased 380% over the course of 2022 and now account for 12% of all incidents.
So, what can the sector do to protect itself? A major problem is lack of visibility and awareness. Many security teams assume that compliance with industry standards and a ‘shift left’ approach to development, together with using a Web Application Firewall (WAF) or API Gateway will offer sufficient protection. The reality is these measures don’t go far enough.
There are now thousands of deployed APIs, inevitably leading to legacy and shadow APIs slipping under the radar. Even perfectly coded APIs are susceptible to attack through a technique known as business logic abuse— just one of the techniques covered in the OWASP API Security Top Ten under API6:2023—which sees the API’s functionality used against it and would remain undetectable using conventional security controls.
The OWASP framework provides a baseline of attack types to which the sector needs to look in order to develop an effective strategy. This needs to include continuous runtime discovery to maintain an accurate inventory of APIs, the use of behaviour-based threat detection to look for unusual activity, and defence tactics to stop attackers from pivoting an attack. Because unless we begin to look at these APIs with an attacker’s eye, we can’t hope to protect them.
The opinions expressed here are those of the author and do not necessarily reflect the positions of Automotive World Ltd.
Jason Kent is Hacker in Residence at Cequence Security
The Automotive World Comment column is open to automotive industry decision makers and influencers. If you would like to contribute a Comment article, please contact email@example.com