While driving, we often worry about mechanical problems and accidents. But we usually don’t think about the risk of our car being hacked. The automotive industry is constantly innovating around vehicle connectivity, from the earliest car radios to the latest smart technology. A modern phone app allows you to remotely lock, unlock and start your vehicle without having to look for your car keys. Additionally, engine fluid levels and driver activity can be reported to the manufacturer’s database.
The average connected car uses over 100 million lines of software code to power the electronic control unit (ECU) and several lines of software code to manage various aspects such as vehicle location, status, and usability. It relies on a thousand APIs. This allows different systems to interact. From requesting air conditioning while the owner is inside the home, to adjusting navigation systems, engine functions, and even brake performance, they work together to provide better functionality and performance.
But the very things that make connected cars so useful can also be used by threat actors to steal them or, even more alarmingly, remotely control them while they’re on the road. This clearly poses a serious threat to both the safety and privacy of the vehicle owner and others around the “hacked” vehicle.
Convenience risk
APIs used in connected vehicle systems provide points of entry for hackers and other malicious actors to exploit cars, trucks, telematics devices, and fleet management operators. According to Cequence Security, the number of automotive API attacks increased by 380% last year, accounting for 12% of all incidents.
In 2023 alone, there were several notable API breaches affecting major automakers such as Honda. exposed thousands of data Not only customers Toyota, Mercedes, BMW. Vehicles store large amounts of personally identifiable information (PII), which can lead to fraud if it falls into the wrong hands. A security flaw in the API could allow an attacker to access internal dealer portals, query VINs, and remotely take over customer accounts.
This type of vulnerability could not only allow an attacker to access PII, but also facilitate unauthorized changes to vehicle ownership.
by OWASP API Security Top 10,The most common tactic exploited by threat actors is object-level ,broken authentication (BOLA). BOLA vulnerabilities occur because the API was not developed with proper authentication controls. This allows threat actors to not only reveal her PII, but also remotely start, stop, lock, and unlock the vehicle.
The automotive industry’s focus is on ensuring that the technology that powers vehicles contains as few API vulnerabilities as possible, but even fully coded APIs can be exploited. protection by continuously scanning the entire API inventory is still required. This is because attacks against well-formed APIs become more common as attackers exploit the non-functional requirements that developers value highly in APIs: flexibility, speed, and ease of use.
Prevent threat actors from penetrating API security
APIs are the biggest attack vector. However, many of today’s security teams lack the visibility and prevention capabilities needed to reduce risk. Car manufacturers must take responsibility and look from the outside in, just as attackers do, to securely configure and regularly test their APIs.
To address risks to vehicle and passenger safety and protect customer data, companies should strive to implement a unified and integrated approach that works across the entire API protection lifecycle. Visibility into all public API footprints that threat actors can use as entry points is critical to success.
According to Sequence Security: 50% of API Unknown APIs and shadow APIs do exist. So with millions of cars, there are millions of shadow APIs that threat actors can exploit. Businesses should continually analyze public and internal APIs to discover which APIs are considered high risk and implement warning systems. This ensures security teams comply with industry regulations while building efficient systems to monitor and block malicious requests, reducing downtime and the exposure of sensitive customer data.
Short of someone breaking into your car and stealing your wallet or other personal documents, the billions of APIs that connect us to our cars pose the most significant security risks. Therefore, automotive companies must take steps to protect and discover unknown and exposed APIs.