Issue 12: Car APIs leaking location, breached security cameras, regulation that helps
Happy New Year to everyone! Here are a few stories that we have collected for you during the holidays.
- Hardcoded credentials for cloud APIs,
- Sequential IDs used for user-level authentication (so you can iterate over the user IDs and get information on all cameras belonging to each user including credentials for direct camera access),
- Out of bound writes that lead to remote code execution.
Looks like the company did not get back to the researches in time and vulnerability information got out in the wild.
API Security Workshop slides from APIdays, Paris have been published by the speaker, Isabelle Mauny from 42Crunch:
- How OWASP applies to APIs,
- Real-life stories of API breaches,
- API security categorization,
- Input validation and sanitization,
- OAuth tips and best practices,
- JWT validation,
- Locating vulnerabilities.
A fascinating RSA Conference IoT security talk by Charles Henderson from IBM’s X-Force Red team had some fascinating API-related nuggets: in one real-life example, car manufactures tried to improve physical security of their customers by limiting geolocation range of for vehicle API to 1 km. However, they simply trusted their mobile app invoking the API to report the location of the invoker correctly and didn’t have any additional security on the API side. As result, the attacker could just keep calling the API enumerating locations and quickly covering significant areas.
John Hawkins (CTO at Lightwell) published an overview of the most common API security mechanisms including:
- access control,
- rate limiting,
- network authentication and encryption,
- protection from DDoS / microservice / application level attacks,
- API design,
- security testing,
Samir Jain & Lisa Ropple argue in Harvard Business Review that instead of punishing companies for security breaches, governments should provide common standards and assistance. Right now physical and digital world have vastly different expectations. In the physical world, if a bank gets robbed police steps in and goes after the criminals. In the digital world, there is somehow expectation that any company is supposed to be able to withstand any attacks including those from nation states.
API security write-up by Taylor Armerding at Synopsys:
- Organizations manage on average 363 APIs, 69% of which are public.
- These APIs increasingly become the main vector of attack.
- The solution is to move API security to design and development phase, and apply existing and new API security technology.