APIs in Vehicle Software Vulnerable to Attacks

All software today depends on APIs, including the software in newer-model vehicles. And that’s creating serious security issues that have already led to vulnerabilities involving the car owners’ PII, GPS tracking and basic vehicle controls ranging from remote locks to engine start/stop. Few car manufacturers are immune to the issues of vulnerable APIs, as evidenced by the attack on Sirius XM.

“It’s well past time for the automotive industry to embrace a defense-in-depth cybersecurity strategy,” Ted Miracco, CEO of Approov, said in a formal statement.

But until the automotive industry and the third-party vendors they rely on step up to improve API security, there is an added layer of risk to vehicle owners and drivers. Any organization that has a stable of fleet vehicles or offers company cars to employees has to be aware of the existing and potential cybersecurity concerns surrounding each vehicle make and model.

What Happened with the Auto APIs

The automotive industry has been victimized by numerous data breaches recently, and many of these vulnerabilities came to light because a web application security researcher named Sam Curry made an accidental discovery of a flaw in an electric scooter’s mobile app.

“To our surprise, our actions caused the horns and headlights on all of the scooters to turn on and stay on for 15 minutes straight,” Curry wrote in a blog post. “We brainstormed for a while, and then realized that nearly every automobile manufactured in the last five years had nearly identical functionality.”

Curry and his team’s research found a lot of vehicles with API flaws, and these flaws have led to a number of known breaches.

Most of the attacks involving vehicle APIs, said Miracco in an email comment, have been enabled by a single point of failure, such as exploiting user credentials or API keys to unlock valuable data, sometimes exploiting mobile apps.

Vehicle APIs Similarity to Mobile Apps

Vehicle software is very similar to mobile apps in that the software is downloaded on to a device and then communicates to cloud services via APIs. Developers of vehicle software could learn a lot from mobile app development, George McGregor, VP with Approov, said in an email interview.

When API security isn’t being included in the development process, there are other ways to add or improve cybersecurity at other levels. The key, said McGregor, is runtime.

“’Shift left’ strategies are important but cannot address all the attack surfaces that are present at run-time,” McGregor said. Therefore, runtime security is required to prevent official software from being copied, cloned or manipulated. It could also prevent the runtime environment in the car from being manipulated to change software behavior. Finally, runtime security is necessary to secure the channel from the car to the cloud-based services from being intercepted by man-in-the-middle attacks.

The UK’s Approach

Accountability for safety, operability and performance changes will depend on IT infrastructure that spans multiple technology domains, explained Ashley McGlone, technology strategist with Tanium, in an email interview.

While the U.S. currently doesn’t have any regulations in place to monitor the cybersecurity of vehicles, the United Kingdom does. The UK’s UNECE R155 Cyber Security Management System for Vehicles covers the uniform provisions for vehicle cybersecurity and cybersecurity management systems, said McGlone. Included in this standard is Annex 5, which specifically addresses backend servers. Among the areas of sensitivity it specifically names are hosted services, secure software development and unauthorized access.

How to Check APIs for Vulnerabilities

Compromised vehicle APIs could manifest as nothing more than a nuisance (honking horns) or could create a serious risk to the driver (the engine turned off remotely as you are driving along an interstate highway).

One way to check vehicle APIs for vulnerabilities is through runtime monitoring; visibility to API activity will be needed to ensure ongoing operation.

“The DevSecOps concepts of ongoing security operations will be key. Runtime control to set policies and react to security issues will be critical,” said McGregor.

If a security issue is exposed, it needs to be fixed immediately with no dependencies on new software upgrades.

Miracco also recommended using a zero-trust system to add security to vehicle software. “Zero-trust systems can verify not only the user, but the physical devices, and the authenticity of an application seeking permission to gain entry to vehicles, access user data including location or payment information, or even start an engine or control the vehicle remotely,” Miracco stated.

Avatar photo

Sue Poremba

Sue Poremba is freelance writer based in central Pennsylvania. She's been writing about cybersecurity and technology trends since 2008.

sue-poremba has 271 posts and counting.See all posts by sue-poremba