Attackers, Take the Wheel: API Vulnerabilities Found in 16 Car Brands

PUBLISHED ON February 15, 2023
LAST UPDATED Feb 15, 2023

The dream of self-driving cars has been around since the days of the Jetsons, Knight Rider, and iRobot. In 2016, Elon Musk made this dream a reality with the launch of Tesla’s Autopilot 2.0 driver-assistance program. However, reports of accidents caused by drivers misusing the autopilot system have become increasingly common. In addition, cybercriminals hijacking smart cars has now become a concern, with 16 car brands recently found to have significant API vulnerabilities.  

From Dream, to Reality, Then Nightmare 

API vulnerabilities in modern vehicles have become a growing concern in recent years as cars have become increasingly connected and rely on complex networks of software and hardware. A recent study conducted by security researchers found that 16 major car brands are affected by various API vulnerabilities, which could potentially allow hackers to gain unauthorized access to vehicles, steal sensitive information, and even take control of the car. 

As reported by HackerNews, the 16 car brands that were found to be affected by API vulnerabilities include BMW, Ford, General Motors, Honda, Hyundai, Jaguar, Land Rover, Kia, Mazda, Mercedes-Benz, Nissan, Porsche, Renault, Toyota, Volkswagen, Volvo, and Tesla. The study identified various types of API vulnerabilities, including missing authentication, weak encryption, and lack of input validation, which could be exploited by attackers to gain access to the vehicle’s network. 

Types of API Vulnerabilities Found in Cars 

Two of the most concerning API vulnerabilities found in these car brands were the lack of authentication and weak encryption for API calls. This means that anyone with a basic understanding of programming could potentially access the vehicle’s network and control various functions, such as the brakes, accelerator, and steering. In some cases, attackers could even gain access to sensitive information, such as the vehicle’s location and the owner’s personal data. Weak encryption could allow attackers to intercept and decrypt sensitive information, such as the vehicle’s location, speed, and other telemetry data. In some cases, this information could be used to target the vehicle or steal sensitive information from the owner. 

Learn more about authentication vulnerabilities in APIs in Broken User Authentication: What It Is, How We Can Help.

Another major issue found in these car brands was the lack of input validation in API calls, which could allow attackers to inject malicious payloads into the vehicle’s network and gain unauthorized access to the car. This type of vulnerability could also allow attackers to execute arbitrary code on the vehicle’s network, which could lead to serious consequences, such as stealing sensitive information, compromising the vehicle’s safety systems, and even taking control of the car. 

The discovery of API vulnerabilities in 16 prominent car brands highlights the vulnerability of modern vehicles to cyberattacks, emphasizing the need for improved security measures. To ensure the protection of customer data and vehicle security, car manufacturers need to develop software with security in mind to address any vulnerabilities and implement strong security defenses. 

Skimping on Cybersecurity Puts Consumers at Risk 

Cybercriminals are always exploring new avenues to plant their attacks, and this often includes abusing technological advances to wreak havoc. The explosion of Internet-connected devices has made users more susceptible to cyberattacks than ever before. The increasing number of connected devices, including smart cars, cellphones, laptops, smart homes, and wearables, has created a larger attack surface for cybercriminals to exploit. For example, a vulnerability in a single device can be used to launch a coordinated attack against multiple devices, compromising the security of the entire network. With more devices connected to the Internet, there are more opportunities for attackers to access sensitive information and to cause harm.  

More often than not, all these smart programs are designed without security in mind, leaving them vulnerable to attacks. As a result, users are often unaware of the risks associated with these devices or, in this case, their brand-new Porsche or Mercedes-Benz. It is imperative that car manufacturers take steps to improve the security of their products.  

“The interconnectedness of our devices is making securing cars more challenging — as exemplified by cyberattacks on cars increasing by 225% in the last three years, with 84.5% of these attacks executed remotely,” Sandeep Singh, senior manager of technical services at HackerOne, said in a statement, explaining the uptick in automotive hacks and the need for collaborating with the ethical hacking community.  

Weak Cybersecurity Affects More Than Data  

In today’s digital age, cybersecurity has become critical as more and more products and services are connected to the Internet and, therefore, vulnerable to cyberattacks. With Internet-connected cars, the dangers of weak cybersecurity range from physical harm to monetary and brand damage. Consumers are increasingly concerned about the protection of their personal data, and a brand’s lack of security measures may influence the buyer’s decision on the next car brand they’ll choose. It is essential for companies to prioritize both physical and cybersecurity to ensure their customers are protected while behind the wheel and connected to their network. At the end of the day, corporations need to take responsibility to build more secure products and services while investing in their security programs to prevent data breaches. 

To achieve this balance, companies must invest in robust cyber security measures and educate employees on the importance of cybersecurity. To learn more about API security, download ThreatX’s publication of The Definitive Guide to APi Attack Protection or follow us on LinkedIn to stay up to date with all upcoming educational events.  

To learn more about ThreatX’s managed API and application protection, schedule a demo. 


About the Author

Sydney Coffaro

Experienced subject-matter expert focused on cybersecurity automation, incident response, APIs, and application security with a demonstrated history of working in fast-paced early stage startups. Sydney is a certified product manager, Scrum Master, and has led technical sales initiatives for go to customer teams that resulted in the acquisition of hundreds of customers.