Unmasking the Blind Spot: Why API Security Is the Weak Link in Automotive Cybersecurity

In this session, recorded during the Auto ISAC Partners Week, Upstream’s Dr. Matthias Lenk and Fabian Stahl explain why API security remains a critical yet overlooked blind spot in the race to secure connected vehicles.

While traditional defenses focus on endpoints, networks, and known vulnerabilities, they often miss the deeper risk: the misuse or exploitation of APIs that directly command and control vehicle systems. This session will uncover how malicious actors exploit these APIs—often without triggering conventional alerts—and demonstrate how this gap can have real-world consequences. We’ll dive into recent high-profile cases, such as the VIN Spray attack, where attackers used manipulated APIs and social engineering to pair unauthorized users with vehicles, and research showing how simple dealership API vulnerabilities can enable remote control of vehicle features using just a license plate number.

What makes these attacks particularly dangerous is the lack of contextual visibility. API activity often goes unanalyzed in relation to other data streams. To change that, we’ll highlight the urgent need to correlate API transactions with telematics, ADAS, and other sensor-driven vehicle data. This correlation enables deep contextual analysis, allowing organizations to detect suspicious API behavior in real time, before it translates into a safety or security event on the road.