The Risks of Having Your Vehicle Hacked

The average connected vehicle uses over 100 million lines of software code and thousands of APIs - many of which can be exploited.

Jason Kent
Dec 20, 2023
Automobile Cockpit, Various Information Monitors And Head Up Displays

When driving, we often worry about mechanical issues or accidents. However, we don’t typically think about the risks of having our vehicle hacked. The automotive industry is constantly innovating around automobile connectivity, from the earliest car radios to the latest smart technologies. Using the latest phone apps, vehicles can be remotely locked, unlocked and started without searching for a set of car keys. Additionally, they can report engine fluid levels and driver behavior to manufacturers’ databases. 

The average connected vehicle uses over 100 million lines of software code to power its electronic control unit (ECU), and relies on thousands of APIs to manage various aspects of the vehicle’s positioning, health, convenience, etc. This allows the various systems to interact with each other to provide better functionality and performance — from the owner requesting air conditioning while still inside their home, to the navigation system, to the engine function, and even for adjusting brake performance.

However, the very thing that makes connected vehicles so convenient can also be used by threat actors to steal a vehicle or, more alarmingly, assume remote control of a moving vehicle. This obviously poses a dire threat to both the safety and the privacy of vehicle owners and anyone else within the vicinity of "hacked" vehicle.

The Risk of Convenience

APIs used in connected vehicle systems offer points of entry for hackers and other malicious actors to exploit cars, trucks, telematics devices, and fleet management operators. According to Cequence Security, the number of automotive API attacks has increased by 380 percent in the last year, accounting for 12 percent of total incidents. 

In 2023 alone, there have been several notable API breaches affecting major auto manufacturers, such as Honda, which exposed the data of thousands of customers, as well as Toyota, Mercedes and BMW. Vehicles store a significant amount of personally identifiable information (PII), which can lead to fraud if it falls into the wrong hands. When exploited, API security flaws can allow threat actors to access internal dealer portals, query a VIN, and take over customer accounts remotely.

Beyond potentially granting attackers access to PII, this type of vulnerability could also facilitate unauthorized changes in vehicle ownership.

According to the OWASP API Security Top 10, the most common tactic threat actors exploit is broken object-level authorization (BOLA). A BOLA vulnerability results from an API not being developed with appropriate authorization controls. It can allow threat actors to remotely start, stop, lock and unlock vehicles, in addition to revealing PII.

While the focus for the automotive industry should be ensuring as few API vulnerabilities as possible make it into the technology powering vehicles, protection via continuous scanning of the entire API inventory is still required, as even a perfectly coded API can be attacked.  This is because attackers take advantage of the same non-functional requirements developers appreciate about APIs – flexibility, speed and ease of use – making attacks on well-formed APIs common.

Don’t Let Threat Actors Zoom Through Your API Security

APIs are the number one attack vector. Yet, many of today’s security teams lack the visibility and defense capabilities they need to reduce the risk. Automotive manufacturers must assume responsibility and securely configure and regularly test their APIs by looking from the outside in - as an attacker would.

To combat the risk to vehicle and passenger safety and protect customer data, companies should look to implement a unified and integrated approach that works across the entire API protection lifecycle. Gaining visibility to all public-facing API footprints that threat actors can use as an entry point is vital for success. 

According to Cequence Security, over 50 percent of APIs are unknown or shadow APIs, meaning with millions of cars, there will be millions of shadow APIs threat actors can exploit. Companies must continuously analyze public-facing and internal APIs to uncover those deemed high-risk, and institute an alert system. This will ensure security teams comply with industry regulations while creating an efficient system of monitoring and blocking malicious requests, and reducing downtime and exposure of sensitive customer data.

Outside of someone breaking into a car and stealing a wallet or other personal documents, the hundreds of millions of APIs connecting us to our vehicles hold the most significant security risk. This is why automotive companies must take action to protect and discover unknown and exposed APIs.

Latest in Cybersecurity
Cybersecurity In A Bubble
Industrial Cybersecurity Predictions for 2024 - Part 1
December 20, 2023
Ransomware
Ransomware Rages On
December 20, 2023
Automobile Cockpit, Various Information Monitors And Head Up Displays
The Risks of Having Your Vehicle Hacked
December 20, 2023
Computer Crime Concept 516607038 2125x1416 (1)
Implementing a Sustainable Cyber Resilience Strategy
December 19, 2023
Related Stories
Cybersecurity In A Bubble
Cybersecurity
Industrial Cybersecurity Predictions for 2024 - Part 1
Ransomware
Cybersecurity
Ransomware Rages On
Computer Crime Concept 516607038 2125x1416 (1)
Cybersecurity
Implementing a Sustainable Cyber Resilience Strategy
How a Candle Manufacturer Grew from Kitchen Table to 7 Figures
Sponsored
How a Candle Manufacturer Grew from Kitchen Table to 7 Figures
More in Cybersecurity
Cybersecurity In A Bubble
Cybersecurity
Industrial Cybersecurity Predictions for 2024 - Part 1
The tools, tactics, bad actors and regulations that will impact the year ahead.
December 20, 2023
Ransomware
Cybersecurity
Ransomware Rages On
Projections indicate a 60 percent increase in ransomware attacks next year, but it's not all doom and gloom.
December 20, 2023
Computer Crime Concept 516607038 2125x1416 (1)
Cybersecurity
Implementing a Sustainable Cyber Resilience Strategy
There's a clear and urgent warning to take immediate action in the face of ever-evolving cyber threats.
December 19, 2023
Ep68tn
Cybersecurity
Security Breach: The Growing Impact of Hacktivists and State-Sponsored Groups
Unintended advancements by state-sponsored hackers are impacting ICS security and elevating network visibility needs.
December 14, 2023
Ep672
Video
Security Breach: Vulnerability Data from 'The Wild'
MITRE’s ATT&CK knowledgebase, and the intrusion patterns, hacker tactics and response data it provides.
December 7, 2023
Computer Security 509230826 2122x1416 (1)
Cybersecurity
Three Ways to Bolster OT Security and Visibility
Evolving data transfer needs have created attack vectors and introduced vulnerabilities that will be exploited if left unaddressed.
December 6, 2023
Robot Programmer
Cybersecurity
Manufacturing Needs an Upgrade
This shift is not just about quantum developments, but also the need for greater agility and backward-compatible cryptography.
December 5, 2023
Steph Thumb
Video
Security Breach: Walking the Line
Balancing resources to keep the bad guys out, improve real-time visibility, and develop quicker responses to new attacks.
December 1, 2023
This photo provided by the Municipal Water Authority of Aliquippa shows the screen of a Unitronics device that was hacked in Aliquippa, Pa., on Saturday, Nov. 25, 2023. The hacked device was in a pumping booster station owned by the Municipal Water Authority of Aliquippa. An electronic calling card left by the hackers suggests they picked their target because it uses components made by an Israeli company.
Cybersecurity
Congressmen Ask DOJ to Investigate Water Utility Hack
They are warning it could happen anywhere.
December 1, 2023
Ap23332642298991
Cybersecurity
Ransomware Attack Prompts Hospitals to Divert Some ER Patients
The health care chain operates 30 hospitals in six states.
November 29, 2023
Computer Electronic Circuit Blue Color, Faded At The Sides 636447976 7138x4764 (1)
Supply Chain
The Double-Edged Sword of Collaboration in the Semiconductor Industry
More players and deeper roots in the U.S. will drive greater outcomes for the entire chip industry — but it will also come with risks.
November 28, 2023
Ransomware
Cybersecurity
Ransomware on the Rise: Prevention and Recovery Strategies
Cybercriminals are continuously evolving their tactics, and the consequences of a successful ransomware attack could be devastating.
November 27, 2023
Computer Crime Concept 516607038 2125x1416 (1)
Cybersecurity
Remember, We’re All Just an IP Address to Cyber Criminals
There are countless cyber criminals perfectly content to randomly scan for vulnerable targets, including small manufacturers.
November 21, 2023
Ep73
Video
Breaking Down the Boeing Hack
Industry experts assess the ransomware attack, the attacker, and critical takeaways for manufacturers of all sizes.
November 21, 2023
Protection Background Technology Security 524882074 701x502 (1)
Industry 4.0
Put the Risk Management Spreadsheets to Bed
Keeping pace with threat actors that can easily automate the discovery of vulnerabilities calls for automated tools that expand visibility.
November 19, 2023