Buckle Up and Protect your Ride. The Importance of API Security for the Connected Vehicle

Last week 42Crunch and VicOne, a Trend Micro subsidiary, announced a unique and vitally important partnership for the automotive industry. Our partnership is the first of its kind to address the mission critical role API security plays for automotive manufacturers as the software driven vehicle becomes an increasingly vulnerable attack surface for rogue actors.

Automotive: Another Attack Surface

In today’s interconnected world, the automotive industry is experiencing a rapid transformation, with vehicles becoming increasingly connected and reliant on digital technologies. From advanced infotainment systems to autonomous driving features, modern vehicles are equipped with a myriad of sensors, processors, and communication interfaces that enable seamless interaction with the external environment and backend systems.
Vehicles are now more interconnected than ever before, with numerous electronic control units (ECUs) and communication interfaces. This interconnectedness delivers many benefits from improved vehicle performance, enhanced infotainment experiences, and ultimately greater convenience, but also increases the potential attack surface for cyber threats, as malicious actors seek to exploit vulnerabilities to gain unauthorized access or control over vehicle systems. Witness for example the vulnerabilities identified by researcher Sam Curry last year in automotive APIs and software from several automotive suppliers.

VicOne’s own research also indicates that between the second half of 2022 and the first half of 2023 API related attacks accounted for 12% of all cyber attacks on automotive players.¹

In 2023 these attacks tended to be concentrated in North America and Europe, continuing the same trend seen in 2022. In terms of general security incidents, however, Asia–Pacific had a notable share of reports, especially in the first half of 2023. ²

“Whereas automotive cybersecurity not long ago focused almost exclusively on in-vehicle APIs, it must today account for API attacks within and among vehicles, the cloud and mobile. This partnership brings together 42Crunch’s proven expertise in API security and ours in automotive cybersecurity to enable a solution engineered for the new, more complex reality in this industry.”

Max Cheng
CEO
VicOne

Regulations & Standards Mandate API Protection

Thankfully, unlike some other industries,  the leading global standard institutions have launched initiatives to address these challenges being faced by the auto industry. They have created a common set of cybersecurity procedures and practices specific to the manufacturing and development of the connected vehicle for all manufacturers to adhere to.

ISO 21434
The International Standardization Organization (ISO) and the Society of Automotive Engineers (SAE) published the “Road vehicles—Cybersecurity Engineering” standard 21434 as a framework for engineering cybersecurity into a vehicle.

UN R155
In parallel, the United Nations Economic Commission for Europe (UNECE) published the WP.29 R155 regulation that requires original equipment manufacturers (OEMs) to prove that their vehicle software and connected ecosystem have gone through rigorous cybersecurity measures during development and after production. Failure to do so means an OEM would not be able to sell their vehicles in UNECE-regulated markets until they remediate cybersecurity gaps.

These standards and regulations are very rigorous and relate to protection of not only the in-vehicle software but anything that can remotely change or query the state of a vehicle. Cyber relevant off-vehicle areas of reference include manufacturing provisioning, service tools, OTA software updates, backend-end services and APIs.

Achieving compliance with this ISO standard and UN regulation points towards the need for OEMs and automotive industry suppliers to implement robust API security measures to mitigate cyber threats and protect consumer safety not just at the time of manufacturing the vehicle, but throughout the vehicle’s lifecycle.

API Security – Under the Hood

The reasons why international bodies are regulating for OEMs  to implement API security strategies are manifold, let’s take a look.

1. Data Protection: Connected cars generate and exchange vast amounts of data, including sensitive information such as location data, vehicle diagnostics, and driver behavior. Secure APIs are essential for protecting this data from unauthorized access, interception, or tampering, ensuring the privacy and safety of vehicle occupants.
2. Remote Access: Many connected car features, such as remote start, lock/unlock, and vehicle diagnostics, rely on APIs to communicate with backend systems and mobile applications. Secure APIs are necessary to prevent unauthorized parties from exploiting these functionalities to gain control over the vehicle, potentially leading to theft, sabotage, or safety hazards.
3. Integration with Third-party Services: Connected cars often integrate with various third-party services, such as navigation apps, music streaming platforms, and smart home systems, via APIs. Securing these APIs is essential to prevent malicious actors from compromising the vehicle’s functionality or accessing sensitive data through unauthorized integrations.
4. Safety and Reliability: In addition to protecting data and preventing unauthorized access, API security is crucial for ensuring the safety and reliability of connected car systems. Vulnerabilities in APIs can be exploited to manipulate vehicle operations, disrupt critical functions, or cause accidents, posing significant risks to vehicle occupants and other road users.

Comprehensive  API Security Across the SDV and Connected-Vehicle Ecosystem 

The partnership announced last week builds on the success both 42Crunch and VicOne have already had in the automotive sector. Now, by combining 42Crunch’s expertise in the field of automotive API security with VicOne’s dedicated xNexus Vehicle Security Operations Center into a joint offering, OEMs will benefit from broad protection across their vehicle, cloud and mobile ecosystems.

Not only will the software driven vehicle be a more secure experience, the OEMs will also be able to demonstrate their compliance with industry standards and regulations. Cybersecurity testing such as functional testing, interface testing, penetration testing, fuzz testing, and vulnerability scanning are used to provide evidence of a product’s compliance. The xNexus VSOC and 42Crunch platform can provide real-time visibility and insights into anomalous vehicles and connected ecosystem behaviors, security incidents, events and conditions, and responses to mitigate any threats that are detected.

May the road rise before you
My Irish colleagues sometimes quote an old saying that is appropriate for this initiative by our two companies:  “May the road rise before you, and the wind be always at your back”.  The harmonizing of cybersecurity standards and practices across the automotive industry promoting trust, transparency, and resilience augurs well for the connected and automated vehicles.

Leveraging our respective capabilities, OEMs are now better placed to address their API security and broader cybersecurity concerns, ensuring the safety and integrity of their software-driven vehicles in this connected world and delivering greater consumer confidence in their marques.

¹ https://documents.vicone.com/reports/automotive-cyberthreat-landscape-report-2023.pdf
² https://documents.vicone.com/reports/automotive-cyberthreat-landscape-report-2023.pdf