Automotive Cyber Security for Connected Vehicles

Automotive Cyber Security for Connected Vehicles
From the earliest car radios to the latest smart car technologies, the automotive industry is constantly innovating around automobile connectivity. For example, using the latest phone apps, cars can be remotely locked, unlocked and started without having to search for a set of car keys. Or vehicles can report engine fluid levels and driver behavior to manufacturers’ databases. But there’s a catch. This same convenience and flexibility from connected cars can be used by thieves to steal a car, or worse remotely control a vehicle while in motion, or impact the privacy of car owners. All of this can come about because this vehicle connectivity is enabled by APIs. A recent report stated that 84.5% of automotive attacks were carried out remotely.

Automotive Cybersecurity by the Numbers


The number of automotive API attacks has increased by 380%, accounting for 12% of total incidents.

203 million

Over 203 million cars can receive software over-the-air (SOTA) upgrades which communicate via APIs.

15.5 million

Researchers gained access to an automotive telematics company with the ability to send arbitrary commands to an estimated 15.5 million vehicles.

API Protection for Intelligent Connected Vehicles

The automotive industry, including vehicle makers and makers of vehicle onboard communication services and applications that communicate with one another via GPS receivers and other telematics devices are relying heavily on APIs. Only five years ago, on average a car, included 100 million lines of code. The sheer number of APIs involved in all this code makes them a prime target for attackers. The consequences of a compromised vehicle include:
Automotive Cyber Security - Accident

Injuries and Accidents

It’s only a matter of time before someone is injured from an exploited and out of control vehicle. Even the ability to remotely open doors can cause driver distraction and accidents.
Automotive Cyber Security - Standards violations

Standards Violations

Not meeting standards such as the UNECE R155 or ISO 21434 related to the cyber security of management systems for vehicles can mean legal implications if vehicle systems are compromised due to API exploits related to hosted services, secure software development and unauthorized access.
Automotive Cyber Security - Liability and Reputation

Liability and Reputation

When it comes to vehicle safety, and cybersecurity, regulators pay close attention. So with API security, manufacturers must ensure their applications are operating in a secure and standard way and implement proper oversight and governance. The liability and reputational damage could seriously impact the bottom line.
Automotive Cyber Security - Privacy and PII

Privacy and PII

Vehicles carry a lot of personally identifiable information (PII) and vehicle-related PII can lead to myriad types of fraud. API security flaws could allow attackers to access internal dealer portals, query a VIN number and takeover customer accounts remotely. Not only could this give attackers access to PII, but also change ownership of a vehicle.
Automotive Cyber Security - Disruptions to automotive supply chain

Disruptions to Automotive Supply Chain

A typical vehicle has up to 150 electronic control units (ECU). When it comes to APIs, and the ECU software embedded in millions of vehicles, it can take weeks to correct software flaws. And that can mean huge disruptions to vehicle supply chains.

Limitations of Traditional Solutions to Automotive Cybersecurity

When it comes to APIs used by connected vehicles, the security teams that oversee that connectivity simply lack the visibility and defense capabilities they need to protect the ever-growing risk from APIs and other application connections. Many believe that compliance with industry standards and a “shift-left, DevOps” approach are sufficient solutions to protect their APIs. The problem with these strategies is that they don’t have a way to “know the unknown”, meaning they aren’t able to look for all APIs, including legacy and shadow APIs, and API vulnerabilities without knowing where to look. Even if all APIs are discovered and “known”, attackers can still leverage seemingly legitimate traffic to gain control of a vehicle. Traditional approaches that use WAFs or API gateways depend on easily evadable detection, lack the real-time ability to discern good from bad API activity and are reliant on static, least common denominator protection spread across multiple technology components.

Cequence Secures the Automotive Industry

Automotive Cyber Security - secured by Cequence
But there is good news as potential API cyber security events associated with vehicle systems seem to stem from known API risks. Outside of physical security break ins by cracking locks and stealing vehicle records from a glove box, most API vulnerabilities can be associated with the OWASP API Security Top 10 list.
Cequence Security believes in taking a holistic approach to defending against API-related vehicle cybersecurity automotive risk with a market-defining Unified API Protection solution that goes beyond traditional API security that may focus solely on one aspect of the API protection journey. Achieving true peace of mind for comprehensive API attack protection means traveling through the three steps associated with the Unified API Protection solution: Discover, Comply, and Protect.

Why Cequence?

With the Cequence Unified API Protection solution, customers can continue to reap the competitive and business advantages of ubiquitous API connectivity. The Cequence solution results in attack futility, failure, and fatigue for even the most relentless of attackers. It significantly improves visibility and protection while reducing cost, minimizing fraud, business abuse, data losses and non-compliance.
Cequence Unified API Protection solution

Get an Attacker’s View
into Your Organization