Following on to previously reported connected car API problems, the worst disclosure to date has been published.
We previously published about API security disclosures of Hyundai and SiriusXM. But on January 4, 2023, researchers were able to release more information about API security issues in the connected car space, and the details are startling. The story was first brought to our attention via Dark Reading.
In this case, there are a range of issues originating from connected car systems.
Almost twenty car manufacturers and services contained API security vulnerabilities that could have allowed hackers to perform malicious activity, ranging from unlocking, starting, and tracking cars to exposing customers' personal information.
The security flaws impacted well-known brands, including BMW, Roll Royce, Mercedes-Benz, Ferrari, Porsche, Jaguar, Land Rover, Ford, KIA, Honda, Infiniti, Nissan, Acura, Hyundai, Toyota, and Genesis.
The vulnerabilities also affected vehicle technology brands Spireon and Reviver and streaming service SiriusXM.
As with previous reports, remote opening and remote starting appear to have been possible and proven by the security researchers. However, in these disclosures, there were two other implications to connected systems.
APIs often sit at the edge of a corporate network, exposing functions to third parties. This is intended and this is, in fact, what APIs are designed to do. But the implication is that if an API is vulnerable, then potentially the network behind it could be reachable:
The most severe API flaws were found in BMW and Mercedes-Benz, which were affected by company-wide SSO (single-sign-on) vulnerabilities that enabled attackers to access internal systems.
In this case, several cloud-based systems shared credentials. Some systems that became accessible were internal tools, customer and dealer info, as well as full inventory databases. Other systems are part of the company's software build pipeline, enabling a potential supply chain attack.
One common problem in APIs is that organizations assume that if you are entitled to access an API, you're entitled to access any information that sits behind that API. This is often called broken object-level authorization (BOLA) or indirect object reference (IDOR). The research disclosed today includes several examples of this principle in action, such as:
Exploiting other API flaws allowed the researchers to access PII (personally identifiable information) for owners of KIA, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, Genesis, BMW, Roll Royce, Ferrari, Ford, Porsche, and Toyota cars.
An attacker could exploit these flaws to access, modify, or delete any Ferrari customer account, manage their vehicle profile, or set themselves as car owners.
This last point - setting themselves as car owners - is an example of broken function-level authorization (BFLA), which allows for interaction with function calls on an API.
Ultimately, for the individual citizen, there is very little that can be done about the security of these systems. Disabling them in the car may be very difficult, or even impossible in some car models. Fortunately, all of the car manufacturers and third-party component makers have responded quickly to remediate all the risks and vulnerabilities discovered by this research.
However, for individual car buyers, the recommendations are similar to other aspects of managing your own account security:
"When purchasing a used car, make sure that the prior owner's account has been removed. Use strong passwords and set up 2FA (two-factor authentication) if possible for apps and services which link to your vehicle," warned Curry in a statement to BleepingComputer.
Join FireTail at Infosecurity Europe in London to learn more about API security and FireTail’s approach to helping organizations eliminate API vulnerabilities with a hybrid approach to API security
FireTail founder Jeremy Snyder discussed API security to a standing-room-only crowd at UK Cyberweek in London in April 2023.