4 Things to Know about Your Car and API Security
It used to be cool if your car had GPS and a dashboard screen, remote lock on a key, and a video player for the kids to watch movies during road trips. Then came bluetooth for your phone and keyless start. Not anymore. The bells and whistles available in today’s cars have left them all in the dust.
Video player? Let’s be honest. This generation knows and expects on-demand streaming to keep them entertained. Cars can now function as fully equipped communications centers. With interconnectivity between your phone and car and voice activation, you can join conference calls, send and receive personal messages, or get updates and make changes to your calendar. You can do everything on your phone, with your car, and more.
Who even needs a key when an app lets you remotely open and lock your car from your phone? While we’re at it, why stop at opening the car door? Why not turn on the engine and get the heater or AC going? Difficulty parallel parking? Your car can help there, too. Plus, it can brake for you if you miss something in the roadway ahead – or reverse brake – bringing you to a controlled stop so you don’t bump into something from behind.
Will we even need to have the DMV driver’s test in the future? Can that rite of teen passage simply be managed by handing your child an updated smartphone to access the family car?
Technology has advanced incredibly fast in the automotive field, and manufacturers are developing new applications quickly to capitalize on the endless possibilities. But what about security? Are car manufacturers making sure that the information flowing across them is managed securely and accurately?
In a recent post, web application security researcher Sam Curry looked under the hood at the risks inherent in these new features, and what he found should be alarming to all of us. As he wrote:
“If an attacker were able to find vulnerabilities in the API endpoints that vehicle telematics systems used, they could honk the horn, flash the lights, remotely track, lock/unlock, and start/stop vehicles, completely remotely.”
In this article, we will discuss four things you should know about these new accessories that aren’t included in your owner’s manual:
- Digitalization drives new features, but APIs fuel them
- Your car’s emissions may include your PII
- Manufacturers are accountable for API security
- What’s needed to avoid the digital blind spot
Digitalization drives new features, but APIs fuel them
Digitalization has provided more convenience, and better experiences in all aspects of our everyday lives – from online banking to food delivery services to on-demand Uber and Lyft rides. And now, digitalization is transforming the applications developed by the automotive industry.
Digitalization helps provide a better experience with added conveniences and driving safety features. Because APIs fuel these new features, the new automotive ecosystem relies on APIs to accelerate their adoption. In addition, the explosion of new applications has also increased the usage of APIs. Along with this, the immense quantity of APIs being used to support all these new applications has generated a new attack surface in your car.
In his research, Sam Curry discovered that bad actors using the VIN could enable remote lock/unlock, engine start/stop, flash headlights, and honk vehicles across multiple automobile models (Kia, Honda, Infinity, Nissan, Acura, Hyundai, Genesis). Yet these flaws appear rudimentary compared with the other weaknesses uncovered.
Your car’s emissions may include your PII
Could your “personally identifiable information” (PII) be accessed through your car? Absolutely. In fact, PII could be accessed through all of the aforementioned vehicles. However, the threats (and the scope of data able to be exfiltrated) worsen as the number and sophistication of the applications increase, which – not surprisingly – primarily impacts luxury models.
The research showed that vulnerabilities allowed access to hundreds of mission-critical internal applications (Mercedes-Benz); access to employee applications, enabling access to internal dealer portals and the retrieval of sales documents (BMW, Rolls Royce); and full zero-interaction account takeover (ATO) for any customer (Ferrari).
But the longest list of vulnerabilities was cited at Spireon, including the ability to fully take over any fleet and gain full administrative access to all Spireon products. Since many first responders and law enforcement use Spireon’s fleet management services, it is frightening to consider that hackers can access these vehicles and tell them what to do.
Manufacturers are accountable for API security
So who is responsible for securing the APIs? Responsibility is 100% on the manufacturer. If I’m buying a vehicle, I expect it to be secure. I expect the windshield wipers to work because I turned them on – not someone else.
We’ve seen weaknesses like these time and time again in other industries. As companies race to stay competitive and roll out new services and conveniences to customers, they are developing APIs at an unprecedented rate. Hence, API security can often be compromised by development speed.
On the positive side, most of the errors this research uncovered stemmed from simple API vulnerabilities. Nearly all of them tie to the OWASP API Security Top 10 list, the de facto guide to help the industry understand and mitigate the most common weaknesses and security flaws that can exist with APIs. In this case, the culprits included:
- Broken user authentication (API2) – allowing attackers to use stolen authentication tokens, credential stuffing, and brute-force attacks to gain unauthorized access to applications
- Mass assignment (API6) – allowing an attacker to change critical data properties and exploit a privilege escalation
- Injection (API8) – allowing attackers to exploit injection vulnerabilities by sending malicious data to an API that can be processed by an interpreter or parsed by the application server and passed to an integrated service
These vulnerabilities should have been found with simple pen tests.
How to avoid the digital blind spot
At a basic level, developers at automobile manufacturers must educate themselves about the top API security threats. While many of these threats should have been identified in shift left, they also highlight why you must shield right. Car manufacturers need more visibility into API traffic to detect vulnerabilities and threats.
Manufacturers must validate that the flow of information – enabling these applications – is being done in a secure and standard way. In addition, they must implement proper oversight and governance for APIs – for which they are fully accountable.
If manufacturers are parlaying consumer data to a third party, they also need to implement controls and oversee the architecture of how they’re managing communication out to their fleet.
Moreover, car manufacturers need to ensure that their controls are effective. As a whole, the industry would benefit by adhering to some type of compliance regulation. Unfortunately, the automotive industry needs to catch up in this regard.
Consumers – the drivers using these new conveniences – must also exhibit caution. In most cases, if there is a malfunction within a car, people tend to think that there’s a bug in the system. If your door locks by itself, you don’t immediately think that you’ve been hacked, but something’s not working with the car. Consumers aren’t used to being exposed to this type of vulnerability. Even as a security professional myself, I don’t have the time to go out there and pen-test my new car.
If you have advanced applications in your car, be sure to apply the latest security protections available. Be vigilant on proper account controls. Understand the data that these applications require to work so that if something does become compromised, you can mitigate exposure. Finally, be aware of the accessibility gained when you attach your phone to your car.
Needed – new digital rules of the road
Digitalization has changed the rules of the road, and APIs are driving the journey. We are just now seeing the first wave of digital automotive applications. Until features mature and are more effectively governed, we can expect continued exploits and vulnerabilities in the automotive sector.
Consumers tend to think their cars are safe and secure from cybersecurity threats, but that’s all changing with the emergence of these new and high-quality services. APIs only lived within the vehicle in the past, but now they can be accessed from anywhere.
The success of automotive manufacturers will depend on protecting the data that their innovative new services support. Car manufacturers must take the initiative to apply the controls needed to secure their and their customers’ sensitive and critical data. The consequences exceed brand reputational damage and business costs – although both are significant. The mayhem that can be caused could include live and death situations resulting in catastrophe.
The Salt Security API Protection Platform helps organizations build a complete and accurate API inventory, uncover API attacks in runtime, and gain insights to remediate vulnerabilities and strengthen API development. To learn more, contact us or schedule a personalized demo.