API Security Needs to be Integral in Automotive Threat Analysis and Risk Assesment

APIs enable the opportunity to innovate and improve services in the connected vehicle and smart mobility ecosystem. APIs are widely used in advanced features, services and fleet management systems – from mobile apps to cloud services to IoT infrastructure and aftermarket technologies APIs make the digital transformation of OEMs and fleet managers possible.

APIs have a downside; they present the largest growing attack surface for organizations and offer adversaries and hackers a scalable and fully remote way to attack.

The OWASP umbrella focuses entirely on IT security. Still, the OWASP Top 10 vulnerabilities also apply to the smart mobility industry. API risks exist in backend vehicle services, companion apps, and many other technologies and carry an OT element that should be considered for threat mitigation. Going beyond OWASP Top 10, according to Upstream’s research, API-based attacks have nearly quadrupled from 2021 to 2022, offering adversaries a highly scalable and effective means to gain access to vehicle controls and sensitive data. The relatively low know-how threshold and ability to attack remotely are spiking creativity and new attack methods that extend beyond OWASP Top 10. In addition, given the nature of APIs they enable adversaries to execute wide-scale attacks, and even impact entire fleets.

What risks should be factored in regarding APIs in smart mobility?

OEMs

Connected vehicles and software-defined vehicles rely on numerous APIs for basic functionality.

Telematics servers use APIs for multiple functionalities, infotainment systems connect to 3rd party applications, and OTA (over-the-air) servers and OEM mobile apps connect to a backend application gateway. By accessing automotive OEM services from an API, adversaries can leak data and even control in-vehicle functionalities. Recently, security researchers revealed that they managed to access and control multiple vehicles from various OEMs by exploiting an APIs broken object-level authorization (BOLA). The researchers found that sending an API request, via a telematics service provider, with the VIN on a unique ID field enabled them to remotely start, stop, lock, and unlock vehicles (source). 

Fleet Managers

Like OEMs, fleet managers – from car leasing to commercial shipping companies and even government agencies – are now managing fleets that are more connected than ever and utilizing the data to improve services and revenues. Still, this increased connectivity has introduced API-related cyber risks.

Fleet managers are using in-vehicle devices that connect with backend management systems and mobile applications, allowing for more streamlined operations. These are all enabled by APIs, creating the opportunity for a large-scale attack via a non-secured API and resulting in vehicle theft or data misuse.

EV Charging Stations 

EV charging stations have evolved rapidly. While the spread and availability of these stations are critical for increasing consumer trust and adoption of EVs, they, unfortunately, are vulnerable to attacks and tampering. 

Since EV charging stations often communicate with companion apps via an API, this makes them susceptible to API-based attacks, which can lead to anything from PII leakage to impact or even outage on the local electrical grid. 

 

What can smart mobility stakeholders do?

Smart mobility stakeholders should consider that their assets are more OT than IT and approach securing their APIs with context. This means that standard API risk assessment methodologies need to be adjusted to include the correlated risk of APIs impact on moving vehicles. In addition, the threat analysis models should consider the state of the vehicle, consumer, and application to detect unusual API behaviors. 

The potential risk of each API should be considered by assessing what is accessible via that API. For example, is it read-only, or could an adversary potentially utilize it to control a vehicle remotely? The interconnected impact of the API on other APIs used by the organization should also factor in when assigning a risk score to any API. Considering that the logic exposed by a single API can provide key insights that may enable a different API to be exploited should factor into the risk assessment and threat analysis. 

Upstream’s Smart Mobility API Security relies on a robust digital twin, a live digital representation of the consumer and vehicle’s state and other related assets. 

With a comprehensive view of all assets impacted, from the consumer application to the individual vehicle to the entire fleet, Upstream enables OEMs and other smart mobility stakeholders to proactively secure services and applications against cybersecurity threats, vulnerabilities, misconfigurations, and design flaws.

Using Upstream’s API Security solution, smart mobility APIs are continuously discovered using Machine learning-based attack surface discovery. Vulnerabilities, including OWASP API Top 10 risks, are detected with enhanced detection capabilities and layered with deep contextual analysis. The solution leverages monitoring, profiling, and the digital twins of the vehicle, consumer, and applications to detect known automotive threats.

Additionally, the solution allows stakeholders to increase security posture by effectively identifying misconfigurations, threats, and risks related to vehicles or mobility asset functions correlated in real-time with the digital twin. Most importantly, mitigation and response are improved by leveraging existing workflows and tools already used to automatically distribute API-related alerts through existing processes and empower security teams to effectively investigate, respond and mitigate cyber threats and developer errors.