Automotive Hacks Demonstrate a Need for Better API Security Posted in Security Vyom Srivastava May 16, 2023 Recent reports of automotive hacks have demonstrated a growing need for better API security. Hackers have been able to exploit security vulnerabilities in connected cars to steal data and even control vehicle systems without the owner’s knowledge or permission. And recently, new vulnerabilities have been discovered across many major automobile brands. These API attacks are not only a safety concern but also pose a serious financial risk to automakers, car owners, and insurance companies. To protect against these threats, it is important to ensure that APIs used to access vehicle systems are secure. Below, we’ll discuss the need for better API security and how automakers can protect their vehicles from hackers. Why The Automotive Industry Needs Better API Security As the automotive industry moves towards more connected and automated vehicles, security becomes more important than ever. Connected cars have a greater potential to be hacked, allowing malicious actors access to the vehicle’s systems and data. Hackers can take control of cars remotely and even steal information such as credit card numbers. Yet, API security in the automotive industry is currently lacking in many ways. Current protocols and communication channels are often outdated and vulnerable to attack. Additionally, the growing number of devices and networks connected to a car can make it difficult to protect the data. Without proper API security measures in place, malicious actors can exploit vulnerabilities to gain access to a car’s data and systems. What Sort of API Vulnerabilities Are Cars Subject To? In the connected car industry, APIs are used to control everything from car diagnostics and infotainment systems to remote access and self-driving features. As with any technology, these APIs can also be vulnerable to security breaches. Recently, a security research team performed an assessment of the security of automotive APIs. Their findings highlighted several serious issues that must be addressed to secure the connected car industry. Here is an overview of some of the vulnerabilities that were discovered: Account takeover: One of the most concerning vulnerabilities found was a complete account takeover on BMW and Rolls Royce via misconfigured single sign-on (SSO). This vulnerability could enable an attacker to access private customer data, modify existing accounts, and create new accounts with full administrative privileges. Remote code execution: The team also discovered a remote code execution (RCE) and access to hundreds of internal tools on Mercedes-Benz and Rolls Royce. This issue allowed an attacker to execute arbitrary code on the vulnerable server and access sensitive information. Admin control: The researchers also uncovered a full account takeover on Ferrari, as well as arbitrary account creation, which enabled the attacker to access, modify, and delete all customer information and access administrative CMS functionality to manage Ferrari websites. Full takeover of fleet systems: SQL injection and regex authorization bypass on Spireon systems allowed an attacker to access, track, and send arbitrary commands to 15 million telematics systems and additionally fully takeover fleet management systems for police departments, ambulance services, truckers, and many business fleet systems. Full vehicle takeover: Hyundai and Genesis were affected by a vulnerability that allowed an attacker to gain full remote vehicle access and a full account takeover. Similarly, Honda, Nissan, Infiniti, and Acura were also vulnerable to a full remote vehicle access attack and full account takeover. Mass assignment: on Reviver allowed an attacker to remotely track and overwrite the virtual license plates for all Reviver customers, track and administrate Reviver fleets, and access, modify, and delete all user information. Nissan was also subject to an entire vehicle takeover attack due to mass assignment. Overall, these issues demonstrate a need for better API security within the automotive industry and highlight the potential risks that exist when APIs are not properly secured. It is important to take measures to mitigate common API vulnerabilities to keep user data safe and secure. Ways to Mitigate Common API Vulnerabilities The automotive industry is under increasing pressure to improve the security of its connected vehicles, as evidenced by recent high-profile hacks. Therefore, automakers must take API security seriously to ensure the safety of their vehicles and the privacy of their customers. Fortunately, there are steps that companies can take to mitigate the risk of an attack. First, all APIs should be tested regularly for vulnerabilities. Automated scanning tools can detect and identify security holes that hackers can exploit. Once identified, these gaps can then be plugged in and secured. Second, all APIs should have access control measures in place. This means that only authenticated users can access certain functions and data. Access should also be restricted to only those people who need it. This helps to limit the scope of any potential attack. Third, all APIs should be encrypted. This ensures that the data is protected in transit and is not susceptible to man-in-the-middle attacks. Encryption also helps to protect against attackers that may try to eavesdrop on the connection or manipulate the data. Fourth, proper logging and monitoring should be employed to track usage and detect any suspicious activity. Logging should also be used to alert administrators in the event of an attack or unauthorized access attempts. Finally, APIs should be designed with security in mind from the beginning. Automotive companies should use secure coding techniques and security best practices when developing their APIs. Automakers must also focus on ensuring secure communication between vehicles and other connected devices, such as smartphones and smart home devices. By following these steps, automotive companies can greatly reduce the risk of a successful attack on their APIs. However, no matter how secure a system may seem, hackers are constantly devising new methods of exploiting vulnerabilities, so automotive companies must stay ahead of the game by staying informed about the latest threats and implementing appropriate countermeasures. Potential Vulnerabilities In The Future of Connected Cars As connected cars and self-driving vehicles become more and more prevalent, the concern over API security will only grow more prevalent. Automotive companies will be hard-pressed to ensure hackers don’t exploit their systems to access critical data or gain control of vehicle functions. Some potential API vulnerabilities that could be present in the future of connected cars and self-driven vehicles include the following: Unauthorized access: Hackers could gain access to a car’s API and use it to control the vehicle or access sensitive data stored on it. This could include things like credit card information, driver identification data, and other personal information. Privacy breaches: If a car’s API is not properly secured, it could lead to privacy breaches. Hackers could potentially use the API to track a car’s location or monitor its driver’s activities. This could create a significant privacy risk for drivers. Denial of Service attacks: Denial of Service (DoS) attacks could be used to disrupt a car’s API and prevent it from communicating with other components. This could make it impossible for the car to operate as intended, leaving it vulnerable to malicious actors. Tampering with software updates: If a car’s API is not secured properly, hackers could tamper with software updates and inject malicious code into the car’s systems. This could cause the car to malfunction or even crash, putting the safety of the driver and passengers at risk. For automotive companies, ensuring the security of their APIs is essential for protecting drivers, passengers, and vehicle data from malicious actors. As such, automotive companies must take measures to prevent these vulnerabilities from being exploited and protect the security of their APIs.