Korean OEM Hack Emphasizes the Urgent Need for Strong API Security in Connected Vehicles

YONATAN APPEL

CTO & Co-Founder

October 1, 2024

The rise of connected vehicles marks a significant milestone in automotive innovation, providing advanced features such as remote start, real-time navigation, and diagnostics. These smart vehicles rely heavily on APIs to enable seamless communication between the vehicle, the cloud, mobile applications, dealerships, and other digital systems. However, this growing reliance on APIs introduces new cybersecurity risks. The recent API vulnerability discovered in a Korean OEM’s vehicles serves as a crucial reminder of the importance of robust API security in safeguarding the connected vehicle ecosystem. Alongside other large-scale incidents, such as the recent ransomware attack on a US dealership software provider, this situation highlights the urgent need for stronger security measures in the automotive industry.

The Latest API Vulnerability Puts Vehicle Safety and Sensitive Data at Risk

In September 2024, cybersecurity researchers, including Sam Curry, uncovered a serious API vulnerability in Korean OEM’s vehicles that exposed both vehicle security and user safety. The flaw allowed unauthorized individuals to potentially gain remote access to various critical functions of OEM’s cars. This included starting the engine, unlocking the doors, and tracking the car’s location—all through improperly secured API endpoints. This vulnerability impacted almost all vehicles made after 2013. In a hypothetical attack scenario, an adversary could enter the license plate of the OEM’s vehicle, retrieve the victim’s information, and then execute commands on the vehicle after around 30 seconds.

According to Sam Curry, “From the victim’s side, there was no notification that their vehicle had been accessed nor their access permissions modified. An attacker could resolve someone’s license plate, enter their VIN through the API, then track them passively and send active commands like unlock, start, or honk.”

Analysis of this incident, by Upstream’s AutoThreat® team, highlighted several interesting points:

  • The researchers managed to register as a dealer, without a proper validation process. This indicates a critical flaw, which subsequently enabled deeper manipulations.
  • Using an employee-only API, the researchers used the dealer ID they generated and were able to obtain private information on every vehicle based on its VIN.
  • Using only the email address and VIN, the researchers were able to add themselves as the vehicle’s owners and execute vehicle commands, access data, etc. 

The implications of this vulnerability were profound, as it exposed a clear path for adversaries to remotely control essential vehicle functions. Such an attack could lead to dangerous situations, from unauthorized access and theft to more severe scenarios involving driver safety. Although the OEM promptly patched the vulnerability, the incident underscored a fundamental issue: the critical role of API security in modern vehicles and the extensive risks involved if these APIs are not adequately protected. 

Notably, this recent vulnerability is not an isolated incident. Sam Curry has previously uncovered multiple security flaws across the automotive industry. In his research, Curry demonstrated how API vulnerabilities in various automakers could potentially allow attackers to remotely access vehicle controls, track locations, and even manipulate systems such as locks and engines. These findings highlight a recurring pattern of weak API security within the industry, reinforcing the urgent need for automakers to implement more rigorous security measures to protect connected vehicles.

The US Dealership Software Attack: Lessons for the Broader Automotive Ecosystem

APIs are the backbone of communication in the connected vehicle ecosystem. They enable functionalities ranging from remote access and vehicle diagnostics to integration with smart home systems and real-time traffic data. However, this interconnectivity also expands the attack surface, making it a prime target for cybercriminals. Insecure APIs can serve as entry points for attackers to exploit, leading to unauthorized access, data breaches, and potentially life-threatening situations on the road.

OEMs must adopt these measures as part of a broader, security-first approach in API design and maintenance. By doing so, they can mitigate risks, protect vehicle integrity, and safeguard customer trust.

Cyber risks and vulnerabilities extend beyond individual vehicles to the entire automotive ecosystem. A case in point is the ransomware attack on, a software provider for car dealerships, in mid-2024. Attackers gained unauthorized access to the vendor’s systems, resulting in a significant outage that disrupted dealership operations across the country. According to CNN, the attack impacted nearly 15,000 car dealerships across North America and is estimated to have resulted in approximately $944 million in direct losses due to business interruptions.

This incident exposed the ripple effects that cybersecurity weaknesses can have. With dealership management systems paralyzed, customer services were severely impacted, illustrating how vulnerable APIs can potentially threaten not just vehicles but also the network of services that support them. The dealership attack serves as a stark reminder that cybersecurity is a concern for all stakeholders in the connected vehicle ecosystem, from manufacturers and software vendors to dealerships and service providers.

Strengthening API Security: A Path Forward for the Automotive Industry

To ensure the safety and security of connected vehicles, a multi-layered approach to API security is imperative. Monitoring API traffic for OWASP API Security Top 10 is essential but far from inclusive. Stakeholders should also focus on the contextual impact APIs have on operational systems and assets.  

  1. Ongoing Security Audits: Conduct continuous monitoring, vulnerability assessments, and penetration testing to identify and address API security flaws. Specifically, focus on stress-testing the vehicle and mobile companion app registration and enrollment processes.
  2. API Inventory: Inventory your APIs, covering real-time live traffic and transactions, as well as OpenAPI documentation sources. Discovery should include all documented, shadow, and zombie APIs.
  3. Monitor API Traffic: Increase your security posture with continuous discovery of static and dynamic traffic sources for ongoing conformance analysis. Security teams should focus on identifying potential vulnerabilities across the API landscape introduced by updates or additional developments and ensuring continued operations with no disruption or downtime.
  4. Real-Time Threat Detection: Use real-time monitoring tools to detect and mitigate abnormal API activities that may indicate an ongoing attack. It is critical to correlate the attacked API, the contextual implications, and the impact on applications and consumers.
  5. Cross-Industry Collaboration: OEMs, Tier-1s, software vendors, and dealerships must collaborate to share threat intelligence and best practices, building a collective defense against potential threats.

The recent API vulnerability in the Korean OEM’s vehicles, coupled with the massive dealership ransomware attack, underscores the vital importance of API security in the connected vehicle ecosystem. As vehicles become increasingly dependent on APIs for their functionalities, the potential risks from insecure APIs grow. Safeguarding these systems is not just a matter of protecting data; it is a crucial step toward ensuring the physical safety of drivers and passengers, as well as maintaining the operational integrity of the automotive ecosystem. 

By prioritizing API security, they can help ensure that the future of connected vehicles is safe, resilient, and free from the threats posed by increasingly sophisticated cyberattacks.

Newsletter Icon

The 2024 Global Automotive Cybersecurity Report

Newsletter Icon

Subscribe
to our newsletter

Stay up-to-date on the latest trends, emerging risks, and updates

Navigating the Evolving Automotive Cybersecurity Regulatory Landscape

Originally published on: April 11, 2024 The automotive industry’s digital transformation has ushered in an era of unprecedented connectivity and technological advancement. Yet, it is…

Read more

Korean OEM Hack Emphasizes the Urgent Need for Strong API Security in Connected Vehicles

The rise of connected vehicles marks a significant milestone in automotive innovation, providing advanced features such as remote start, real-time navigation, and diagnostics. These smart…

Read more

US Push for Cybersecurity: Banning Chinese and Russian Technology in Connected Vehicles

With the rise of connected vehicles, the line between the automotive and technology sectors has become increasingly blurred. Vehicles today are not just mechanical machines;…

Read more

As Cyber Risks Escalate, ISO/WD 24882 Sets New Standards for Safety and Availability in Agricultural OEMs

The digital transformation sweeping through the Automotive and Mobility ecosystem has also made its mark on the Agriculture sector. As a result, OEMs, suppliers, and…

Read more
Skip to content