Upgrade to Pro — share decks privately, control downloads, hide ads and more …

INTERFACE by apidays 2023 - Fast & Furious: Hac...

INTERFACE by apidays 2023 - Fast & Furious: Hacking Cars with APIs, Shira Sarid-Hausireer & Daniel Blum, Upstream

INTERFACE by apidays 2023
APIs for a “Smart” economy. Embedding AI to deliver Smart APIs and turn into an exponential organization
June 28 & 29, 2023

Fast & Furious: Hacking Cars with APIs
Shira Sarid-Hausireer, VP Marketing at Upstream
Daniel Blum, Product Manager - API Security & Threat Intelligence at Upstream

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays

July 11, 2023
Tweet

More Decks by apidays

Other Decks in Programming

Transcript

  1. ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. Hacking

    Cars with APIs Shira Sarid-Hausirer | VP Marketing Daniel Blum | Product Manager, API Security
  2. ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. Protecting

    the integrity of vehicle and customer data comes before business We have the responsibility for cyber security over the entire life cycle The manufacturer must be the master of the interfaces into the vehicle Oliver Zipse Chairman of the Board of Directors “ “ “ Speech at IT Symposium, Munich, March 2023
  3. RAPID GROWTH OF AUTOMOTIVE CYBER INCIDENTS Publicly Reported Cyber Incidents

    2010-2022 387% Increase ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. Analysis & Insights 1306 2010-2023 YTD Incidents 268 2022 0 20 40 60 80 100 120 140 160 180 200 220 240 260 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022
  4. BLACK HAT ACTIVITY IS DOMINATING THE AUTOMOTIVE CYBER LANDSCAPE ⓒ

    2023 Upstream Security Ltd. All Rights Reserved. Confidential.
  5. ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. Emerging

    attack vectors Fleet-wide focus Smart mobility risks THE NEW ATTACK VECTORS OF THE SMART MOBILITY ECOSYSTEM
  6. ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. APIs

    UNLOCK DATA-DRIVEN SERVICES AND ADVANCED FEATURES Vehicle status Maintenance Charging stations Telemetries Billing Driver scoring Collisions Remote control Sharing services Fleet management API EXAMPLES Warranty info Dealerships & suppliers Leasing Service & subscriptions Diagnostics E-commerce Trip planning Repair info Anti- theft Battery info MOBILITY CLOUD Stored data Command and control Mobile companion apps Web apps (e.g., dealership, workshops) 3rd parties Connected vehicles Charging stations DATA APIs APIs APIs
  7. ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. APIs

    ARE A GROWING ATTACK SURFACE APIs require relatively low technical expertise and introduce easier, yet fleet-wide, attack surfaces MOBILITY CLOUD Stored data Command and control Mobile companion apps Web apps (e.g., dealership, workshops) 3rd parties Connected vehicles Charging stations DATA APIs Broken Object Level Authorization Broken User Authentication Excessive Data Exposure Lack of Resources & Rate Limiting Security Misconfiguration Malicious Injections Improper Assets Management Insufficient Logging & Monitoring APIs APIs
  8. ⓒ 2022 Upstream Security Ltd. All Rights Reserved. Confidential. THE

    SHIFT IN MALICIOUS ACTIVITIES Fast and Direct Low and Slow secs to mins days to weeks Known single API call attacks (e.g., injections) Business logic API attack sequences
  9. ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. 380%

    Growth (vs. 2021) API-BASED ATTACKS IN 2022 12% Of total incidents APIs
  10. ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. 3

    years 1 vehicle 1 domain attack of the in-vehicle network (safety critical) from research to exploit make and model year AUTOMOTIVE CYBER THREATS BEFORE APIS: LONG AND COMPLEX 2015
  11. ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. DAVID

    COLOMBO’S TESLA REMOTE CONTROL Unlock commands sent while driving (Multi-vehicle) “I also think it potentially could result in some dangerous situations on the road. For example, if someone with remote access starts blasting music on max volume while the driver is on the highway, or randomly and uncontrollable remotely flashing the lights of the Teslas at night.”
  12. ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. HACKER

    EXPLOITED API VULNERABILITY TO REMOTELY CONTROL MULTIPLE OEMS’ VEHICLES Source: *https://threadreaderapp.com/thread/1597792097175674880.html By knowing only the VIN number of the vehicles
  13. ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. VS

    Automotive threats pre-API (2015) Years/months of research Affecting specific car models Focused on impacting safety components Weeks of research Affecting millions of vehicles Automotive threats post-API (2023) Automotive expertise No automotive expertise Focused on both safety and business impacts efforts impact range impacted domains expertise Vehicle is required Vehicle is not required research method AUTOMOTIVE THREATS IN AN API DRIVEN WORLD
  14. ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. THE

    BLIND SPOT OF THE IT APPROACH Vehicle Data Application Server Application Consumer API GW API GW Enterprise & 3rd Party Applications API GW IT-Driven API Security API request and response: • Data • API commands (vehicle control) API request and response: • Enterprise API-based applications (user management, admin, authentication)
  15. ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. Next-gen

    API security: BORN IN MICHIGAN! Correlating operational data feeds (vehicles) with API traffic
  16. ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. Connected

    Vehicle Data Application Server Application Consumer API GW API GW Enterprise & 3rd Party Applications API GW IoT-Driven API Security API request and response: • Data • API commands (vehicle control) API request and response: • Enterprise API-based applications (user management, admin, authentication) Traffic from the vehicle to the server: • Messages Traffic from the server to the vehicle: • Telematics commands • Data requests