January 4, 2023

A bumpy ride into API insecurity

Following on to previously reported connected car API problems, the worst disclosure to date has been published.

A bumpy ride into API insecurity

We previously published about API security disclosures of Hyundai and SiriusXM. But on January 4, 2023, researchers were able to release more information about API security issues in the connected car space, and the details are startling. The story was first brought to our attention via Dark Reading.

What API security research was disclosed?

In this case, there are a range of issues originating from connected car systems.

Almost twenty car manufacturers and services contained API security vulnerabilities that could have allowed hackers to perform malicious activity, ranging from unlocking, starting, and tracking cars to exposing customers' personal information.
The security flaws impacted well-known brands, including BMW, Roll Royce, Mercedes-Benz, Ferrari, Porsche, Jaguar, Land Rover, Ford, KIA, Honda, Infiniti, Nissan, Acura, Hyundai, Toyota, and Genesis.
The vulnerabilities also affected vehicle technology brands Spireon and Reviver and streaming service SiriusXM.

What could the affects of these API security misconfigurations have been?

As with previous reports, remote opening and remote starting appear to have been possible and proven by the security researchers. However, in these disclosures, there were two other implications to connected systems.

Lateral movement into enterprise networks

APIs often sit at the edge of a corporate network, exposing functions to third parties. This is intended and this is, in fact, what APIs are designed to do. But the implication is that if an API is vulnerable, then potentially the network behind it could be reachable:

The most severe API flaws were found in BMW and Mercedes-Benz, which were affected by company-wide SSO (single-sign-on) vulnerabilities that enabled attackers to access internal systems.

In this case, several cloud-based systems shared credentials. Some systems that became accessible were internal tools, customer and dealer info, as well as full inventory databases. Other systems are part of the company's software build pipeline, enabling a potential supply chain attack.

What would the attack path be?

  1. Breach the API by using a VIN, owner's email address or other single-factor authentication method (arguably not even single-factor authentication).
  2. Use common API methods to enumerate all the information about this user.
  3. With this user data, use the user account to access the company's single sign-on (SSO) systems.
  4. Use this SSO access systems that are part of the pipeline, like code repositories or software build servers.
  5. Inject code or inject third-party components into the build.

Exposing customer personally identifiable information (PII)

One common problem in APIs is that organizations assume that if you are entitled to access an API, you're entitled to access any information that sits behind that API. This is often called broken object-level authorization (BOLA) or indirect object reference (IDOR). The research disclosed today includes several examples of this principle in action, such as:

Exploiting other API flaws allowed the researchers to access PII (personally identifiable information) for owners of KIA, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, Genesis, BMW, Roll Royce, Ferrari, Ford, Porsche, and Toyota cars.


And:

An attacker could exploit these flaws to access, modify, or delete any Ferrari customer account, manage their vehicle profile, or set themselves as car owners.

This last point - setting themselves as car owners - is an example of broken function-level authorization (BFLA), which allows for interaction with function calls on an API.

What should I, as a car owner or potential car buyer, do about these API security issues?

Ultimately, for the individual citizen, there is very little that can be done about the security of these systems. Disabling them in the car may be very difficult, or even impossible in some car models. Fortunately, all of the car manufacturers and third-party component makers have responded quickly to remediate all the risks and vulnerabilities discovered by this research.

However, for individual car buyers, the recommendations are similar to other aspects of managing your own account security:

"When purchasing a used car, make sure that the prior owner's account has been removed. Use strong passwords and set up 2FA (two-factor authentication) if possible for apps and services which link to your vehicle," warned Curry in a statement to BleepingComputer.