The Risks of Having Your Vehicle Hacked | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

When driving, we often worry about mechanical issues or accidents. However, we don’t typically think about the risks of having our vehicle hacked. The automotive industry is constantly innovating around automobile connectivity, from the earliest car radios to the latest smart technologies. Using the latest phone apps, vehicles can be remotely locked, unlocked and started without searching for a set of car keys. Additionally, they can report engine fluid levels and driver behavior to manufacturers’ databases. 

The average connected vehicle uses over 100 million lines of software code to power its electronic control unit (ECU), and relies on thousands of APIs to manage various aspects of the vehicle’s positioning, health, convenience, etc. This allows the various systems to interact with each other to provide better functionality and performance — from the owner requesting air conditioning while still inside their home, to the navigation system, to the engine function, and even for adjusting brake performance.

However, the very thing that makes connected vehicles so convenient can also be used by threat actors to steal a vehicle or, more alarmingly, assume remote control of a moving vehicle. This obviously poses a dire threat to both the safety and the privacy of vehicle owners and anyone else within the vicinity of “hacked” vehicle.

The Risk of Convenience

APIs used in connected vehicle systems offer points of entry for hackers and other malicious actors to exploit cars, trucks, telematics devices, and fleet management operators. According to Cequence Security, the number of automotive API attacks has increased by 380 percent in the last year, accounting for 12 percent of total incidents. 

In 2023 alone, there have been several notable API breaches affecting major auto manufacturers, such as Honda, which exposed the data of thousands of customers, as well as Toyota, Mercedes and BMW. Vehicles store a significant amount of personally identifiable information (PII), which can lead to fraud if it falls into the wrong hands. When exploited, API security flaws can allow threat actors to access internal dealer portals, query a VIN, and take over customer accounts remotely.

Beyond potentially granting attackers access to PII, this type of vulnerability could also facilitate unauthorized changes in vehicle ownership.

According to the OWASP API Security Top 10, the most common tactic threat actors exploit is broken object-level authorization (BOLA). A BOLA vulnerability results from an API not being developed with appropriate authorization controls. It can allow threat actors to remotely start, stop, lock and unlock vehicles, in addition to revealing PII.

While the focus for the automotive industry should be ensuring as few API vulnerabilities as possible make it into the technology powering vehicles, protection via continuous scanning of the entire API inventory is still required, as even a perfectly coded API can be attacked.  This is because attackers take advantage of the same non-functional requirements developers appreciate about APIs – flexibility, speed and ease of use – making attacks on well-formed APIs common.

Don’t Let Threat Actors Zoom Through Your API Security

APIs are the number one attack vector. Yet, many of today’s security teams lack the visibility and defense capabilities they need to reduce the risk. Automotive manufacturers must assume responsibility and securely configure and regularly test their APIs by looking from the outside in – as an attacker would.

To combat the risk to vehicle and passenger safety and protect customer data, companies should look to implement a unified and integrated approach that works across the entire API protection lifecycle. Gaining visibility to all public-facing API footprints that threat actors can use as an entry point is vital for success. 

According to Cequence Security, over 50 percent of APIs are unknown or shadow APIs, meaning with millions of cars, there will be millions of shadow APIs threat actors can exploit. Companies must continuously analyze public-facing and internal APIs to uncover those deemed high-risk, and institute an alert system. This will ensure security teams comply with industry regulations while creating an efficient system of monitoring and blocking malicious requests, and reducing downtime and exposure of sensitive customer data.

Outside of someone breaking into a car and stealing a wallet or other personal documents, the hundreds of millions of APIs connecting us to our vehicles hold the most significant security risk. This is why automotive companies must take action to protect and discover unknown and exposed APIs.


Click Here For The Original Story From This Source.

National Cyber Security