Navigating the Road to Automotive Security

In an increasingly connected world, cars are no longer just mechanical; they’re rolling computers with intricate software systems powered by APIs and apps. However, this digital transformation comes with risks. The newest research from Traceable ASPEN examines four recent case studies of vulnerabilities, distilling the technical how and why of these issues. From central locking systems to fleet management systems and supplier networks, affecting automakers, to insurers. This latest whitepaper distills the key findings and technical vulnerabilities that cars have encountered, shedding light on the urgent need for robust automotive security practices. This includes expert analysis of the most impactful security research in the auto industry as well as new vulnerabilities discovered by ASPEN, one of which enabled the export of 17,000 customer database records, and another where it was possible to real-time track vehicles around the world.

Download the full Whitepaper - On the Fast Track: Analyzing API Security Flaws in Major Automakers.

Wondering how your security processes measure up? Download the Security Bytes Checklist for Automakers, with actionable advice to develop your API security program.

In 2023 security researchers explored vehicle telematic systems and automotive APIs across a number of manufacturers. During their engagement, they discovered critical vulnerabilities affecting various car manufacturers, including Kia, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, and Genesis. These vulnerabilities allowed for remote actions such as locking/unlocking vehicles, starting/stopping engines, and accessing sensitive information via VIN numbers or email addresses.

These vulnerabilities can cause serious impacts including:

• Unauthorized Access: Attackers could gain unauthorized access to vehicles, allowing them to lock/unlock doors, start/stop engines, or even disable safety features.
• Data Breaches: Sensitive information (such as VIN numbers, email addresses, and location data) could be exposed, leading to identity theft or privacy violations.
• Safety Risks: Malicious actors might manipulate critical vehicle functions, endangering occupants’ safety.
• Financial Loss: Car owners could face financial losses due to theft, damage, or fraudulent activities.
• Reputation Damage: Car manufacturers’ reputations could suffer if their vehicles are associated with security vulnerabilities.

It’s not just first parties who are struggling to manage their security, a vulnerability in a supplier management network allowed a security researcher to gain access to sensitive data related to approximately 3,000 suppliers and 14,000 users worldwide. The compromised web application was used by employees and suppliers to coordinate projects, containing details about parts, surveys, and purchases. While this vulnerability was patched promptly it demonstrates the difficulty in managing third party software used in the automotive industry.

Moving from automakers to insurance, in 2024 a calculator hosted by an insurance broker exposed Microsoft corporate cloud credentials, allowing unauthorized access to sensitive data. Specifically, the email sending API returned logs containing the password for the “noreply”  Microsoft email account. This account contained approximately 657,000 emails (around 25 GB) with customer information, insurance policy PDFs, password reset links, and more. The compromised email account not only jeopardized customer data but also provided access to other Microsoft cloud resources, including the corporate directory, SharePoint, and Teams.

In the whitepaper you’ll also find the technical details of new vulnerabilities affecting a major automaker. The ASPEN team was able to export 17,000 customer records due to missing authentication on an intended internal API that was made public for customer fleet management. In addition to the fleet management export it was also possible to access a live vehicle tracking system, a major privacy violation which showed live location data worldwide. Both of these sharing a similar root cause: while the API had an authentication system, both were missing verification of a logged in user.

Traditionally, automotive security focused on physical measures like locks and alarms. However as vehicles introduce more smart functionality, with apps, management consoles and collect more data there is a continually increasing risk of attack. Automakers who fall behind on security have a real risk of losing consumer trust, even for a small number of security incidents. For more technical analysis on the vulnerabilities discussed here with advice for those developing their API security programs you can download the full whitepaper: On the Fast Track: Analyzing API Security Flaws in Major Automakers.

‍

Traceable ASPEN

Traceable ASPEN provides vendor neutral and threat driven research in API security, investigating the latest breaches with world leading expertise and analysis. We believe in securing the world’s APIs with actionable insights from across the industry. We are offensively minded, defensively driven, and focused on your protection.