As seen on IT Nerd.
For years I’ve argued that the auto industry has to step up its game in terms of security or something serious is going to happen to car owners. The best example of this that I can think of is when researchers took control of a Jeep remotely and was able to gain complete control of the car. That led to a recall to fix this along with a class action lawsuit and senate action. But clearly this continues to be an issue. Case in point is this work by Sam Curry.
We brainstormed for a while, and then realized that nearly every automobile manufactured in the last 5 years had nearly identical functionality. If an attacker were able to find vulnerabilities in the API endpoints that vehicle telematics systems used, they could honk the horn, flash the lights, remotely track, lock/unlock, and start/stop vehicles, completely remotely.
At this point, we started a group chat and all began to work with the goal of finding vulnerabilities affecting the automotive industry. Over the next few months, we found as many car-related vulnerabilities as we could. The following writeup details our work exploring the security of telematic systems, automotive APIs, and the infrastructure that supports it.
I really encourage you to read this. It’s not eye opening to me, but you’ll be shocked by what Curry has discovered and how many companies are affected by API vulnerabilities. Giora Engel, the CEO and Co-Founder of Neosec has this commentary:
“APIs are used to connect virtually every business and today they are largely unprotected. For most organizations they don’t even have an inventory of which APIs they created and expose to the outside and have no idea if any API is being abused. The reality is that for most businesses, the impact of API vulnerabilities and any abuse of that API results in data theft or monetary loss, which are certainly damaging. But in an automotive vehicle, the problem of abuse of any API is potentially physically dangerous to drivers on the road. Protecting APIs from behavioral abuse in the automotive industry is no longer optional. It is essential.”
Honestly, the car makers in this blog post by Sam Curry really need to up their game. Because if you buy a car, you should be assured that it is safe from being pwned by hackers. And what really bothers me is that the Jeep hack was in 2015. Thus you would have thought that this would be either less of an issue or a non issue by now. But I guess I expect too much from car makers who clearly don’t have security as their top priority.