API security risks in the automotive industry

The threat cybercrime poses to finances is known, but few recognise the risks inherent with connected cars – here’s how to find vulnerabilities in API security

In 1996, General Motors introduced the world’s first connected car. The offering was fairly rudimentary – a basic system that would contact a call centre in the event of a crash. But the OnStar system, offered in only a few Cadillac models, would change the way we thought about cars. Not long after OnStar was introduced, along came onboard GPS, then Bluetooth, then, finally, the Internet.

These introductions have revolutionised the automotive industry. The benefits are both obvious and innumerable, but connectivity can sometimes be a double-edged sword.

Most people by now understand the threat cybercrime poses to both individuals’ and organisations’ finances, but few recognise the risks inherent with connected cars. In a recent blog post, threat researcher Sam Curry revealed that vulnerabilities in many cars’ online systems could allow cybercriminals to carry out a number of unauthorised actions.
“If an attacker were able to find vulnerabilities in the API endpoints that vehicle telematics systems used, they could honk the horn, flash the lights, remotely track, lock/unlock, and start/stop vehicles, completely remotely,” Curry said.

In light of this, it’s important that consumers, organisations and manufacturers alike recognise the risks that come with our cars’ new accessories.

Recognising the risks that come with our cars’ new accessories

APIs fuel digitalisation

Digitalisation, or the adaptation of a system or process to be operated with the use of computers and the Internet, is the driving force behind today’s ultra-convenient society. Aside from connected cars, digitalisation has brought us online banking, food delivery services, super-fast taxi services, and a whole host of other useful technologies.

All of these digitalisation initiatives rely on application programming interfaces (APIs) to function. This includes the modern applications found in your car. In fact, every new feature brought to cars (or any other product or service)- must be fuelled by APIs. The explosion of these new digital applications has accelerated API usage. This, in turn, has created an entirely new and ever-changing digital attack surface – including in your very own car.

Cars may expose PII

Personally identifiable information (PII) represents an irresistible prize for cybercriminals, especially when it’s laid right out in front of them – and that’s just what connected cars are doing. PII could well be exposed by any of the cars mentioned in Curry’s article.

And this problem is only going to worsen in years to come. As more applications are introduced and sophistication increases, the number of threats to PII will grow, and more information will be up for grabs. Perhaps unsurprisingly, luxury models will be the hardest hit.

Curry’s research laid bare the reality of API vulnerabilities in connected cars. They allowed access to hundreds of vital internal applications (Mercedes Benz), employee applications which contained internal dealer portals and sales documents (BMW, Rolls Royce), and full zero-interaction account takeover (ATO) for any customer (Ferrari).

But the worst offender was Spireon. Vulnerabilities in its systems could allow cybercriminals to fully take over any fleet and secure full administrative access to all Spireon products. Spireon’s technology is used by key workers – law enforcement and ambulance drivers, for example – the prospect of cybercriminals hijacking their systems and control vehicles is frightening, to say the least.

Carmakers are responsible for API security

It might seem obvious, but it’s important to note that API security is entirely the responsibility of the manufacturer. Just as you would expect the brakes to work upon your cars’ arrival, so should its cybersecurity be up to scratch.

It’s also worth mentioning that weaknesses like these are nothing new. New products and services are being introduced faster than ever as organisations jostle for a competitive edge, with API usage growing at extraordinary speed – it’s perhaps understandable that API security sometimes falls by the wayside. It is not, however, an excuse, and organisations must be held accountable for API security.

Interestingly, most of the errors Curry’s research identified stem from rudimentary API vulnerabilities. An overwhelming majority can be found on the OWASP API Security Top 10 list, including:

• Broken user authentication (API2) – allowing attackers to use stolen authentication tokens, credential stuffing, and brute-force attacks to gain unauthorised access to applications
• Mass assignment (API6) – allowing an attacker to change critical data properties and exploit a privilege escalation
• Injection (API8) – allowing attackers to exploit injection vulnerabilities by sending malicious data to an API that can be processed by an interpreter or parsed by the application server and passed to an integrated service

In one sense, this means these vulnerabilities can be easily remediated. However, on the other hand, these issues should have been found with a simple penetration test. The fact that they didn’t suggest an oversight on the part of manufacturers.

Securing connected cars

What steps can car manufacturers take to protect connected vehicles? The first step is education. Developers employed by automobile manufacturers must, at the very least, be educated on API security threats. This starts with the OWASP API Security Top 10 list. Second, car manufacturers must know all of the APIs within their environment and have visibility into all of the API traffic transporting data back and forth through their applications. Runtime visibility into API behaviours is essential to identify vulnerabilities and threats.

APIs are, at the root, a means of transferring information. Manufacturers need to ensure that the flow of information is being done in a secure and standard way. To go a step further, it’s essential they implement proper oversight and governance for the APIs they are accountable for. This is especially important for manufacturers who parlay consumer data with a third party. In this case, they must implement controls and oversee the architecture of how they’re managing communication out to their fleet.

The automotive industry is woefully behind the times when it comes to cyber-specific compliance regulation

As it stands, the automotive industry is woefully behind the times when it comes to cyber-specific compliance regulation. Regulation would be an invaluable resource for automotive manufacturers because it would help them ensure that their security controls work as they should. There’s no point spending money on a lock if you’re going to leave the door wide open.

While manufacturers are ultimately responsible for API security, that doesn’t mean that consumers can rest on their laurels. They must exercise caution. For many of us, our cars locking by themselves wouldn’t spark suspicion of a hack, we would likely assume the car has simply malfunctioned. This is understandable, given consumers aren’t typically exposed to this type of vulnerability. Moreover, most consumers don’t have the time or skills needed to pen-test their cars every time they go for a drive.

But there are a few things consumers can do to protect themselves and their cars. First, ensure that the most recent security protections are applied – set the device to auto-update, or regularly check for update notifications. Users should also stay vigilant on proper account controls, meaning use strong, unique passwords where one is required. It’s also important to be mindful of just what data is being exposed – credit card details, usernames and passwords, or other PII, for example – so that moves to mitigate exposure can be made. Perhaps most importantly, recognise the risks that come with connecting a phone to a car. Even with the most secure systems there will be an element of risk; drivers must ask themselves what they value more: convenience, or security?

Implementing a digital highway code

In the grand scheme of things, connected cars are still in their infancy. This is only the first wave of digital automotive applications. Exploits and vulnerabilities in the automotive sector will continue until features mature and are more effectively governed. Cybersecurity compliance regulation for the automotive industry, a ‘digital highway code’, if you will, is sorely needed to protect consumers from API security threats.

To succeed with these new applications, automotive manufacturers must protect the APIs that enable the services themselves. Manufacturers must proactively apply the necessary controls to secure both their own and their customers’ sensitive and critical data. The consequences extend beyond financial and reputational damage. With the potential to fully take over a vehicle’s operation, a successful attack could put lives at risk.

By Adam Fisher, Director of Sales Engineering at Salt Security