INTERFACE by apidays 2023 - Fast & Furious: Hacking Cars with APIs, Shira Sarid-Hausireer & Daniel Blum, Upstream

Transcript

1. ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. Hacking

   Cars with APIs Shira Sarid-Hausirer | VP Marketing Daniel Blum | Product Manager, API Security
2. None

3. ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. Protecting

   the integrity of vehicle and customer data comes before business We have the responsibility for cyber security over the entire life cycle The manufacturer must be the master of the interfaces into the vehicle Oliver Zipse Chairman of the Board of Directors “ “ “ Speech at IT Symposium, Munich, March 2023

4. RAPID GROWTH OF AUTOMOTIVE CYBER INCIDENTS Publicly Reported Cyber Incidents

   2010-2022 387% Increase ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. Analysis & Insights 1306 2010-2023 YTD Incidents 268 2022 0 20 40 60 80 100 120 140 160 180 200 220 240 260 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022

5. BLACK HAT ACTIVITY IS DOMINATING THE AUTOMOTIVE CYBER LANDSCAPE ⓒ

   2023 Upstream Security Ltd. All Rights Reserved. Confidential.

6. ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. Emerging

   attack vectors Fleet-wide focus Smart mobility risks THE NEW ATTACK VECTORS OF THE SMART MOBILITY ECOSYSTEM

7. ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. APIs

   FUEL SMART MOBILITY OPPORTUNITIES

8. ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. APIs

   UNLOCK DATA-DRIVEN SERVICES AND ADVANCED FEATURES Vehicle status Maintenance Charging stations Telemetries Billing Driver scoring Collisions Remote control Sharing services Fleet management API EXAMPLES Warranty info Dealerships & suppliers Leasing Service & subscriptions Diagnostics E-commerce Trip planning Repair info Anti- theft Battery info MOBILITY CLOUD Stored data Command and control Mobile companion apps Web apps (e.g., dealership, workshops) 3rd parties Connected vehicles Charging stations DATA APIs APIs APIs

9. ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. APIs

   ARE A GROWING ATTACK SURFACE APIs require relatively low technical expertise and introduce easier, yet fleet-wide, attack surfaces MOBILITY CLOUD Stored data Command and control Mobile companion apps Web apps (e.g., dealership, workshops) 3rd parties Connected vehicles Charging stations DATA APIs Broken Object Level Authorization Broken User Authentication Excessive Data Exposure Lack of Resources & Rate Limiting Security Misconfiguration Malicious Injections Improper Assets Management Insufficient Logging & Monitoring APIs APIs

10. ⓒ 2022 Upstream Security Ltd. All Rights Reserved. Confidential. THE

    SHIFT IN MALICIOUS ACTIVITIES Fast and Direct Low and Slow secs to mins days to weeks Known single API call attacks (e.g., injections) Business logic API attack sequences

11. ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. 380%

    Growth (vs. 2021) API-BASED ATTACKS IN 2022 12% Of total incidents APIs

12. ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. 3

    years 1 vehicle 1 domain attack of the in-vehicle network (safety critical) from research to exploit make and model year AUTOMOTIVE CYBER THREATS BEFORE APIS: LONG AND COMPLEX 2015

13. ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. DAVID

    COLOMBO’S TESLA REMOTE CONTROL Unlock commands sent while driving (Multi-vehicle) “I also think it potentially could result in some dangerous situations on the road. For example, if someone with remote access starts blasting music on max volume while the driver is on the highway, or randomly and uncontrollable remotely flashing the lights of the Teslas at night.”

14. ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. HACKER

    EXPLOITED API VULNERABILITY TO REMOTELY CONTROL MULTIPLE OEMS’ VEHICLES Source: *https://threadreaderapp.com/thread/1597792097175674880.html By knowing only the VIN number of the vehicles

15. ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. VS

    Automotive threats pre-API (2015) Years/months of research Affecting specific car models Focused on impacting safety components Weeks of research Affecting millions of vehicles Automotive threats post-API (2023) Automotive expertise No automotive expertise Focused on both safety and business impacts efforts impact range impacted domains expertise Vehicle is required Vehicle is not required research method AUTOMOTIVE THREATS IN AN API DRIVEN WORLD

16. ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. THE

    BLIND SPOT OF THE IT APPROACH Vehicle Data Application Server Application Consumer API GW API GW Enterprise & 3rd Party Applications API GW IT-Driven API Security API request and response: • Data • API commands (vehicle control) API request and response: • Enterprise API-based applications (user management, admin, authentication)

17. ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. Next-gen

    API security: BORN IN MICHIGAN! Correlating operational data feeds (vehicles) with API traffic

18. ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. Connected

    Vehicle Data Application Server Application Consumer API GW API GW Enterprise & 3rd Party Applications API GW IoT-Driven API Security API request and response: • Data • API commands (vehicle control) API request and response: • Enterprise API-based applications (user management, admin, authentication) Traffic from the vehicle to the server: • Messages Traffic from the server to the vehicle: • Telematics commands • Data requests

19. ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. Thank

    you! [email protected] [email protected]