Addressing API Vulnerabilities in Connected Car Services and Fleets
Application Programming Interfaces (APIs) are ubiquitous in connected car services and fleet management systems. They are the glue that holds together all the pieces of the connected car ecosystem — from mobile apps to cloud services, to IoT infrastructure and aftermarket technologies — making it easier for OEMs and fleet managers to fast forward their digital transformation process.
On the downside, APIs present an ideal target for cyber-attacks by providing hackers with compelling attack surfaces that can be exploited for malicious purposes.
In 2019, the Open Web Application Security Project (OWASP) published a list of the Top 10 web API Vulnerabilities, highlighting the most common and impactful vulnerabilities identified in web applications like broken object-level authorization and broken authentication.
Although the OWASP umbrella focuses entirely on IT security, its Top 10 API vulnerabilities are also applicable to the automotive industry where these exact same threats exist in back-end car services and aftermarket technologies.
In this article, we break down the potential risks of vehicle API vulnerabilities for OEMs and fleet managers and demonstrate how the Argus-imVision partnership aims to address these challenges effectively.
The Risks for OEMs
The modern vehicle and connected services use numerous APIs. Everything from the in-vehicle infotainment (IVI) system, OTA servers, mobile apps connecting to a back-end application gateway, and telematics servers all rely on APIs to achieve several functionalities. These present significant attack surfaces for potential breaches and real-life incidents. Each year, there are hundreds of API breaches in the IT domain, and in the automotive world, there have already been a number of notable breaches.
In one case, two security researchers were able to hack into Nissan Leaf’s companion app, NissanConnect, and remotely control climate settings, drain the car’s battery, and track data from recent journeys. And all of this was possible due to a poorly authenticated API. Now although this attack was driven by a researcher whose intention was to raise awareness and not cause damage, exploiting API vulnerabilities can potentially harm the brand, property, and lives.
More recently, hackers were able to steal more than 100 luxury Mercedez-Benz cars in Chicago by breaking into a Daimler and BMW-backed car-sharing app called Share Now (previously known as Car2Go).
Although “API security” is somewhat of a new concept, the attacks that can be performed through the APIs, are not. Security researchers at Pen Test Partners discovered several vulnerabilities in the smart alarm systems of cars. These flawed alarm systems are distributed by two of the largest vendors: Viper and Pandora Car Alarm system.
Both app vendors were affected with IDOR vulnerabilities (insecure direct object reference) in the API, allowing the researchers to reset passwords, take over personal accounts, and worst yet, hijack the vehicles through the smart alarms and kill the running engine.
The Risks for Fleet Managers
Besides OEMs, fleet managers like freight companies, police forces, firefighters, cash-in-transit, and car leasers all face an equally significant risk of API-related cyber attacks.
During the vehicle aftermarket phase, there’s increasing adoption of connected devices in the vehicle network. Different Fleet Management Services require both in-vehicle devices and back-end management platforms, in which API vulnerabilities may be exploited in an attempt to compromise the fleet’s security posture.
Interestingly, compromising an API vulnerability can lead to a widespread attack on a non-homogenous fleet. This month (August 2020), Germany’s state-owned FuhrparkService’s (BWFU) IT network was hacked. The organization operates 33,500 trucks and chauffeur-driven cars. Although the root cause of the attack is unknown, the dominant presence of APIs (and API vulnerabilities) in enterprise fleet management systems and in-vehicle devices substantially increases the likelihood of a large-scale vehicle attack.
According to the Bundestag parliament, performing such an attack could have led the hackers to obtain politicians’ private addresses and other sensitive details such as times booked and locations. Luckily, the incident was resolved quickly, but the risk of such an attack happening again remains the same.
Next Steps for Automotive CISOs and Fleet Managers
In the IT domain alone, a Gartner Report revealed that by 2022, API vulnerabilities will be the primary cause of data breaches within enterprise web applications. This is vastly due to the extensive usage of API implementations worldwide, providing a new target for wide exploitation.
With this in mind, protecting APIs is becoming extremely important in the IT world, and ultimately, in the automotive industry which relies on advanced technologies. To start, automotive CISOs and fleet managers need to look beyond standard risk assessments and penetration tests and add an additional layer of protection around connected car services.
For this reason, Argus has partnered with imVision, a market leader in API security solutions, to support a variety of new Automotive API security use cases, including all top 10 API vulnerabilities defined by OWASP (and more).
By coupling imVision’s powerful AI and machine learning technologies with Argus’ extensive automotive cyber expertise and use cases, automotive CISOs and fleet managers can detect and respond to API vulnerabilities in vehicles and connected car services such as OTA, Telematics, and Mobile services
According to Simon Sorrell, Chief Business Officer at imVision, “Each API presents a potential attack vector in a vehicle fleet and connected car service. Our joint offering with Argus Fleet Protection supports security teams with early detection of API vulnerabilities, allowing them to automatically block and mitigate these attacks, at scale.”
To learn more about Argus Fleet Protection and how you can build a comprehensive Vehicle SOC to monitor your fleet lifecycle, investigate incidents, and respond to cyberattacks, get your copy of our eBook.
Author: Adi Dubin, Director Product Management
at Argus Cyber Security