ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. Hacking Cars with APIs Shira Sarid-Hausirer | VP Marketing Daniel Blum | Product Manager, API Security

No content

ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. Protecting the integrity of vehicle and customer data comes before business We have the responsibility for cyber security over the entire life cycle The manufacturer must be the master of the interfaces into the vehicle Oliver Zipse Chairman of the Board of Directors “ “ “ Speech at IT Symposium, Munich, March 2023

RAPID GROWTH OF AUTOMOTIVE CYBER INCIDENTS Publicly Reported Cyber Incidents 2010-2022 387% Increase ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. Analysis & Insights 1306 2010-2023 YTD Incidents 268 2022 0 20 40 60 80 100 120 140 160 180 200 220 240 260 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022

BLACK HAT ACTIVITY IS DOMINATING THE AUTOMOTIVE CYBER LANDSCAPE ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential.

ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. Emerging attack vectors Fleet-wide focus Smart mobility risks THE NEW ATTACK VECTORS OF THE SMART MOBILITY ECOSYSTEM

ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. APIs FUEL SMART MOBILITY OPPORTUNITIES

ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. APIs UNLOCK DATA-DRIVEN SERVICES AND ADVANCED FEATURES Vehicle status Maintenance Charging stations Telemetries Billing Driver scoring Collisions Remote control Sharing services Fleet management API EXAMPLES Warranty info Dealerships & suppliers Leasing Service & subscriptions Diagnostics E-commerce Trip planning Repair info Anti- theft Battery info MOBILITY CLOUD Stored data Command and control Mobile companion apps Web apps (e.g., dealership, workshops) 3rd parties Connected vehicles Charging stations DATA APIs APIs APIs

ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. APIs ARE A GROWING ATTACK SURFACE APIs require relatively low technical expertise and introduce easier, yet fleet-wide, attack surfaces MOBILITY CLOUD Stored data Command and control Mobile companion apps Web apps (e.g., dealership, workshops) 3rd parties Connected vehicles Charging stations DATA APIs Broken Object Level Authorization Broken User Authentication Excessive Data Exposure Lack of Resources & Rate Limiting Security Misconfiguration Malicious Injections Improper Assets Management Insufficient Logging & Monitoring APIs APIs

ⓒ 2022 Upstream Security Ltd. All Rights Reserved. Confidential. THE SHIFT IN MALICIOUS ACTIVITIES Fast and Direct Low and Slow secs to mins days to weeks Known single API call attacks (e.g., injections) Business logic API attack sequences

ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. 380% Growth (vs. 2021) API-BASED ATTACKS IN 2022 12% Of total incidents APIs

ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. 3 years 1 vehicle 1 domain attack of the in-vehicle network (safety critical) from research to exploit make and model year AUTOMOTIVE CYBER THREATS BEFORE APIS: LONG AND COMPLEX 2015

ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. DAVID COLOMBO’S TESLA REMOTE CONTROL Unlock commands sent while driving (Multi-vehicle) “I also think it potentially could result in some dangerous situations on the road. For example, if someone with remote access starts blasting music on max volume while the driver is on the highway, or randomly and uncontrollable remotely flashing the lights of the Teslas at night.”

ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. HACKER EXPLOITED API VULNERABILITY TO REMOTELY CONTROL MULTIPLE OEMS’ VEHICLES Source: *https://threadreaderapp.com/thread/1597792097175674880.html By knowing only the VIN number of the vehicles

ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. VS Automotive threats pre-API (2015) Years/months of research Affecting specific car models Focused on impacting safety components Weeks of research Affecting millions of vehicles Automotive threats post-API (2023) Automotive expertise No automotive expertise Focused on both safety and business impacts efforts impact range impacted domains expertise Vehicle is required Vehicle is not required research method AUTOMOTIVE THREATS IN AN API DRIVEN WORLD

ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. THE BLIND SPOT OF THE IT APPROACH Vehicle Data Application Server Application Consumer API GW API GW Enterprise & 3rd Party Applications API GW IT-Driven API Security API request and response: • Data • API commands (vehicle control) API request and response: • Enterprise API-based applications (user management, admin, authentication)

ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. Next-gen API security: BORN IN MICHIGAN! Correlating operational data feeds (vehicles) with API traffic

ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. Connected Vehicle Data Application Server Application Consumer API GW API GW Enterprise & 3rd Party Applications API GW IoT-Driven API Security API request and response: • Data • API commands (vehicle control) API request and response: • Enterprise API-based applications (user management, admin, authentication) Traffic from the vehicle to the server: • Messages Traffic from the server to the vehicle: • Telematics commands • Data requests

ⓒ 2023 Upstream Security Ltd. All Rights Reserved. Confidential. Thank you! shiras@upstream.auto danielb@upstream.auto