BLOG

Buckle Up and Protect your Ride. The Importance of API Security for the Connected Vehicle

Last week 42Crunch and VicOne, a Trend Micro subsidiary, announced a unique and vitally important partnership for the automotive industry. Our partnership is the first of its kind to address the mission critical role API security plays for automotive manufacturers as the software driven vehicle becomes an increasingly vulnerable attack surface for rogue actors.

Automotive: Another Attack Surface

In today’s interconnected world, the automotive industry is experiencing a rapid transformation, with vehicles becoming increasingly connected and reliant on digital technologies. From advanced infotainment systems to autonomous driving features, modern vehicles are equipped with a myriad of sensors, processors, and communication interfaces that enable seamless interaction with the external environment and backend systems.
Vehicles are now more interconnected than ever before, with numerous electronic control units (ECUs) and communication interfaces. This interconnectedness delivers many benefits from improved vehicle performance, enhanced infotainment experiences, and ultimately greater convenience, but also increases the potential attack surface for cyber threats, as malicious actors seek to exploit vulnerabilities to gain unauthorized access or control over vehicle systems. Witness for example the vulnerabilities identified by researcher Sam Curry last year in automotive APIs and software from several automotive suppliers.

VicOneā€™s own research also indicates that between the second half of 2022 and the first half of 2023 API related attacks accounted for 12% of all cyber attacks on automotive players.1

In 2023 these attacks tended to be concentrated in North America and Europe, continuing the same trend seen in 2022. In terms of general security incidents, however, Asiaā€“Pacific had a notable share of reports, especially in the first half of 2023. 2

ā€œWhereas automotive cybersecurity not long ago focused almost exclusively on in-vehicle APIs, it must today account for API attacks within and among vehicles, the cloud and mobile. This partnership brings together 42Crunchā€™s proven expertise in API security and ours in automotive cybersecurity to enable a solution engineered for the new, more complex reality in this industry.ā€

Max Cheng
CEO
VicOne

Regulations & Standards Mandate API Protection

Thankfully, unlike some other industries,Ā  the leading global standard institutions have launched initiatives to address these challenges being faced by the auto industry. They have created a common set of cybersecurity procedures and practices specific to the manufacturing and development of the connected vehicle for all manufacturers to adhere to.

ISO 21434
The International Standardization Organization (ISO) and the Society of Automotive Engineers (SAE) published the ā€œRoad vehiclesā€”Cybersecurity Engineeringā€ standard 21434 as a framework for engineering cybersecurity into a vehicle.

UN R155
In parallel, the United Nations Economic Commission for Europe (UNECE) published the WP.29 R155 regulation that requires original equipment manufacturers (OEMs) to prove that their vehicle software and connected ecosystem have gone through rigorous cybersecurity measures during development and after production. Failure to do so means an OEM would not be able to sell their vehicles in UNECE-regulated markets until they remediate cybersecurity gaps.

These standards and regulations are very rigorous and relate to protection of not only the in-vehicle software but anything that can remotely change or query the state of a vehicle. Cyber relevant off-vehicle areas of reference include manufacturing provisioning, service tools, OTA software updates, backend-end services and APIs.

Achieving compliance with this ISO standard and UN regulation points towards the need for OEMs and automotive industry suppliers to implement robust API security measures to mitigate cyber threats and protect consumer safety not just at the time of manufacturing the vehicle, but throughout the vehicleā€™s lifecycle.

API Security – Under the Hood

The reasons why international bodies are regulating for OEMsĀ  to implement API security strategies are manifold, letā€™s take a look.

  1. Data Protection: Connected cars generate and exchange vast amounts of data, including sensitive information such as location data, vehicle diagnostics, and driver behavior. Secure APIs are essential for protecting this data from unauthorized access, interception, or tampering, ensuring the privacy and safety of vehicle occupants.
  2. Remote Access: Many connected car features, such as remote start, lock/unlock, and vehicle diagnostics, rely on APIs to communicate with backend systems and mobile applications. Secure APIs are necessary to prevent unauthorized parties from exploiting these functionalities to gain control over the vehicle, potentially leading to theft, sabotage, or safety hazards.
  3. Integration with Third-party Services: Connected cars often integrate with various third-party services, such as navigation apps, music streaming platforms, and smart home systems, via APIs. Securing these APIs is essential to prevent malicious actors from compromising the vehicle’s functionality or accessing sensitive data through unauthorized integrations.
  4. Safety and Reliability: In addition to protecting data and preventing unauthorized access, API security is crucial for ensuring the safety and reliability of connected car systems. Vulnerabilities in APIs can be exploited to manipulate vehicle operations, disrupt critical functions, or cause accidents, posing significant risks to vehicle occupants and other road users.

ComprehensiveĀ  API Security Across the SDV and Connected-Vehicle EcosystemĀ 

The partnership announced last week builds on the success both 42Crunch and VicOne have already had in the automotive sector. Now, by combining 42Crunch’s expertise in the field of automotive API security with VicOneā€™s dedicated xNexus Vehicle Security Operations Center into a joint offering, OEMs will benefit from broad protection across their vehicle, cloud and mobile ecosystems.

Not only will the software driven vehicle be a more secure experience, the OEMs will also be able to demonstrate their compliance with industry standards and regulations. Cybersecurity testing such as functional testing, interface testing, penetration testing, fuzz testing, and vulnerability scanning are used to provide evidence of a productā€™s compliance. The xNexus VSOC and 42Crunch platform can provide real-time visibility and insights into anomalous vehicles and connected ecosystem behaviors, security incidents, events and conditions, and responses to mitigate any threats that are detected.

May the road rise before you
My Irish colleagues sometimes quote an old saying that is appropriate for this initiative by our two companies:Ā  ā€œMay the road rise before you, and the wind be always at your backā€.Ā  The harmonizing of cybersecurity standards and practices across the automotive industry promoting trust, transparency, and resilience augurs well for the connected and automated vehicles.

Leveraging our respective capabilities, OEMs are now better placed to address their API security and broader cybersecurity concerns, ensuring the safety and integrity of their software-driven vehicles in this connected world and delivering greater consumer confidence in their marques.

 

1 https://documents.vicone.com/reports/automotive-cyberthreat-landscape-report-2023.pdf
2 https://documents.vicone.com/reports/automotive-cyberthreat-landscape-report-2023.pdf

Latest Resources

WEBINAR

Mitigate OWASP API risks through security-by-design

Learn best practices and mitigation steps for some of the OWASP API vulnerabilities through this 42Crunch API security best practice webinar

NEWS

VicOne Partners with 42Crunch to Deliver Uniquely Comprehensive Security Across SDV and Connected-Vehicle Ecosystem

By Newsdesk | May 29, 2024

Collaboration pairs leaders in API and automotive cybersecurity to enable broad protectionĀ as attacks on automotive APIs climb within and among vehicle, cloud and mobileĀ  DALLAS and TOKYO, May 29, 2024ā€”VicOne, an automotive cybersecurity solutions leader, today announced a partnership with 42Crunch Ā to enhance the security of application programming […]

DataSheet

APIs are the core building block of every enterpriseā€™s digital strategy, yet they are also the number one attack surface for hackers. 42Crunch makes developersā€™ and security practitioners' lives easier by protecting APIs, with a platform that automates security into the API development pipeline and gives full oversight of security policy enforcement at every stage of the API lifecycle.

WEBINAR

Mitigate OWASP API risks through security-by-design

Learn best practices and mitigation steps for some of the OWASP API vulnerabilities through this 42Crunch API security best practice webinar

NEWS

VicOne Partners with 42Crunch to Deliver Uniquely Comprehensive Security Across SDV and Connected-Vehicle Ecosystem

By Newsdesk | May 29, 2024

Collaboration pairs leaders in API and automotive cybersecurity to enable broad protectionĀ as attacks on automotive APIs climb within and among vehicle, cloud and mobileĀ  DALLAS and TOKYO, May 29, 2024ā€”VicOne, an automotive cybersecurity solutions leader, today announced a partnership with 42Crunch Ā to enhance the security of application programming […]

DataSheet

Datasheet Cover Images P1-02

Product Datasheet Addressing API Security Challenges

APIs are the core building block of every enterpriseā€™s digital strategy, yet they are also the number one attack surface for hackers. 42Crunch makes developersā€™ and security practitioners' lives easier by protecting APIs, with a platform that automates security into the API development pipeline and gives full oversight of security policy enforcement at every stage of the API lifecycle.

Ready to Learn More?

Developer-first solution for delivering API security as code.