Nearly 20 car manufacturers and services contained API security vulnerabilities, including Toyota, Mercedes, and BMW.
The API security vulnerabilities, if exploited, could've given hackers the ability to perform malicious activity, ranging from unlocking, starting, and tracking cars to exposing customers' personal information.
We heard from Jason Kent, Hacker in Residence, Cequence Security about the risks of vulnerable APIs and the importance of testing.
These automotive manufacturers obviously aren’t testing their APIs. The question as to why is simple: there aren’t great tools out there and it mostly has to be done manually. As the researcher showed, however, just a little bit of manual effort pays off.
Flaws that live in the OWASP Top 10 are easily found and exploited. After the initial foray of testing for the OWASP API Security Top Ten, then some Business Logic testing the investigation revealed additional flaws. But in each of the cases here the researcher used simple tools and techniques to find and create points of compromise on these flaws.
The researcher suggests car owners should take responsibility by limiting their input of personally identifiable information (PII), using the highest privacy settings on telematics and implementing two-factor authentication (2FA) but it shouldn’t come to this. Automotive manufacturers have to assume responsibility and securely configure and regularly test their APIs by looking from the outside in as an attacker would.
API Security is the number one attack vector for a reason. There is very little that is done to test for these types of problems which is why researchers are able to exploit simple flaws and blow the whistle on enterprises that have billions of dollars at their disposal and build solutions the general public has learned to trust.