From the earliest car radios to the latest smart car technologies, the automotive industry is constantly innovating around automobile connectivity. For example, using the latest phone apps, cars can be remotely locked, unlocked and started without having to search for a set of car keys. Or vehicles can report engine fluid levels and driver behavior to manufacturers’ databases. But there’s a catch. This same convenience and flexibility from connected cars can be used by thieves to steal a car, or worse remotely control a vehicle while in motion, or impact the privacy of car owners. All of this can come about because this vehicle connectivity is enabled by APIs. A recent report stated that 84.5% of automotive attacks were carried out remotely.
Automotive Cybersecurity by the Numbers
380%
The number of automotive API attacks has increased by 380%, accounting for 12% of total incidents.
203 million
Over 203 million cars can receive software over-the-air (SOTA) upgrades which communicate via APIs.
15.5 million
Researchers gained access to an automotive telematics company with the ability to send arbitrary commands to an estimated 15.5 million vehicles.
API Protection for Intelligent Connected Vehicles
The automotive industry, including vehicle makers and makers of vehicle onboard communication services and applications that communicate with one another via GPS receivers and other telematics devices are relying heavily on APIs. Only five years ago, on average a car, included 100 million lines of code. The sheer number of APIs involved in all this code makes them a prime target for attackers. The consequences of a compromised vehicle include:
Injuries and Accidents
It’s only a matter of time before someone is injured from an exploited and out of control vehicle. Even the ability to remotely open doors can cause driver distraction and accidents.
Standards Violations
Not meeting standards such as the UNECE R155 or ISO 21434 related to the cyber security of management systems for vehicles can mean legal implications if vehicle systems are compromised due to API exploits related to hosted services, secure software development and unauthorized access.
Liability and Reputation
When it comes to vehicle safety, and cybersecurity, regulators pay close attention. So with API security, manufacturers must ensure their applications are operating in a secure and standard way and implement proper oversight and governance. The liability and reputational damage could seriously impact the bottom line.
Privacy and PII
Vehicles carry a lot of personally identifiable information (PII) and vehicle-related PII can lead to myriad types of fraud. API security flaws could allow attackers to access internal dealer portals, query a VIN number and takeover customer accounts remotely. Not only could this give attackers access to PII, but also change ownership of a vehicle.
Disruptions to Automotive Supply Chain
A typical vehicle has up to 150 electronic control units (ECU). When it comes to APIs, and the ECU software embedded in millions of vehicles, it can take weeks to correct software flaws. And that can mean huge disruptions to vehicle supply chains.
Limitations of Traditional Solutions to Automotive Cybersecurity
When it comes to APIs used by connected vehicles, the security teams that oversee that connectivity simply lack the visibility and defense capabilities they need to protect the ever-growing risk from APIs and other application connections. Many believe that compliance with industry standards and a “shift-left, DevOps” approach are sufficient solutions to protect their APIs. The problem with these strategies is that they don’t have a way to “know the unknown”, meaning they aren’t able to look for all APIs, including legacy and shadow APIs, and API vulnerabilities without knowing where to look. Even if all APIs are discovered and “known”, attackers can still leverage seemingly legitimate traffic to gain control of a vehicle. Traditional approaches that use WAFs or API gateways depend on easily evadable detection, lack the real-time ability to discern good from bad API activity and are reliant on static, least common denominator protection spread across multiple technology components.
Cequence Secures the Automotive Industry
But there is good news as potential API cyber security events associated with vehicle systems seem to stem from known API risks. Outside of physical security break ins by cracking locks and stealing vehicle records from a glove box, most API vulnerabilities can be associated with the OWASP API Security Top 10 list.
Cequence Security believes in taking a holistic approach to defending against API-related vehicle cybersecurity automotive risk with a market-defining Unified API Protection solution that goes beyond traditional API security that may focus solely on one aspect of the API protection journey. Achieving true peace of mind for comprehensive API attack protection means traveling through the three steps associated with the Unified API Protection solution: Discover, Comply, and Protect.
Why Cequence?
With the Cequence Unified API Protection solution, customers can continue to reap the competitive and business advantages of ubiquitous API connectivity. The Cequence solution results in attack futility, failure, and fatigue for even the most relentless of attackers. It significantly improves visibility and protection while reducing cost, minimizing fraud, business abuse, data losses and non-compliance.
