‍

What Are Connected Cars?

Connected cars are vehicles equipped with internet access, enabling them to send and receive data, communicate with other devices, and integrate with various digital services. While this connectivity brings numerous benefits, it also opens up new avenues for cyberattacks.

‍

Why You Should Care

Even if you don't own a connected car, it's essential to be aware of the security implications. You might find yourself in a conversation with friends or neighbors who do, and you can impress them with your knowledge of how traditional, less connected vehicles might actually be safer in some respects.

‍

Key Discussion Points

In our talk, we will cover several critical areas:

1. Statistics: A historical overview of incidents from 2010 to 2023.
2. Prevalence of API Attacks: Understanding why these attacks are so common.
3. Incidents and Solutions: A review of notable incidents and possible solutions.
4. The Role of AI: How artificial intelligence can influence API attacks.
5. Future Outlook: What the future might hold for connected car security.

‍

Statistics

Between 2010 and 2023, incidents involving connected cars have been categorized into physical and remote attacks. API attacks, unsurprisingly, fall under the category of remote attacks. These attacks can be further divided into short-range and long-range incidents. For API attacks, long-range incidents are more common, highlighting the vulnerabilities that can be exploited from afar.

‍

Common Attack Vectors

From 2010 to 2021, various attack vectors were prevalent, including Bluetooth, Wi-Fi, sensors, mobile applications, and servers. While API attacks accounted for a small percentage initially, their frequency surged dramatically in 2022 and 2023. In 2022 alone, API-related attacks increased by 308%, and by 2023, they represented 13% of all automotive attacks, moving from fourth to third place.

‍

Why Are API Attacks So Prevalent?

Several factors contribute to the rise in API attacks:

1. Low Budget: A computer and Wi-Fi are often all that's needed.
2. Remote Execution: Attacks can be launched from anywhere, making detection difficult.
3. No Special Hardware: Unlike other types of attacks, no specialized equipment is required.
4. Low Technical Expertise: Many resources are available online, making it easier for attackers.
5. Wide Attack Surface: Numerous targets, including OEMs, charging stations, and various applications, increase the attack surface.

‍

Notable Incidents

Several high-profile incidents have highlighted the dangers of API vulnerabilities:

• A popular ride-hailing service in Pakistan was compromised, leading to abusive messages sent to customers.
• API vulnerabilities in a German OEM's website allowed data exfiltration.
• Critical vulnerabilities in a charging station management system enabled unauthorized file access and control over chargers.
• Misconfigured APIs exposed sensitive customer data of an OEM's customers.

‍

Case Study: The SiriusXM Incident

One particularly notable incident involved the SiriusXM telematics services. Security researchers discovered vulnerabilities that allowed them to access sensitive data and execute commands on vehicles remotely. This incident underscores the potential risks associated with connected car APIs.

‍

The Role of AI

Artificial intelligence can both aid in defending against and perpetrating API attacks. AI can automate vulnerability scanning, perform brute force attacks, execute distributed denial-of-service (DDoS) attacks, and more. The rapid advancement of AI technologies presents both opportunities and challenges for cybersecurity.

‍

Solutions to API Security Threats

1. Education: Familiarize yourself with resources like the OWASP Top 10 API Security Risks and API Security University.
2. Improved Authorization and Authentication: Ensure robust security measures are in place to control access.
3. Monitoring and Penetration Testing: Regularly test and monitor systems to identify and address vulnerabilities.
4. Verify Third-Party Providers: Ensure that partners and providers adhere to stringent security standards.

‍

Future Outlook

The future of connected car security is uncertain but promising. While the prevalence of API attacks has increased significantly, ongoing efforts to enhance security measures and the potential for AI-driven defenses offer hope. Staying informed and proactive is crucial as we navigate this evolving landscape.

‍

Conclusion

Understanding the security challenges and solutions for connected cars is essential in today's digital world. Whether you own a connected vehicle or not, being aware of these issues helps foster a safer environment for everyone on the road.

‍

Watch Agne's session from APISEC|CON here.

‍