Issue 24: Unprotected APIs in implants, storing API secrets


This week, we dive under the skin with unprotected APIs on implanted cardiac defibrillators, and take a spin with a hacked tornado warning system in Texas. We have a story on how Uber used API vulnerability to drive competition out of business. And finally, we also look into how to store API keys and prevent SQL injections.

Vulnerabilities

IoT security as bad as it gets: 750 000 implanted cardiac defibrillators from Medtronic have unprotected APIs! Even U.S. Department of Homeland Security had to issue a warning on this one.

Emergency warning systems have unprotected APIs as well. Two cities in Texas had their tornado warning systems hacked to send alarms in the middle of the night, and by as simple an attack as sending a radio signal. Turns out that there is no security on these interfaces: you just need to know the radio signal that the system expects. See this Reddit discussion for more details.

Best Practices

Never put your secrets in your source code. Researchers at North Carolina State University found over 100 000 repositories on GitHub that contained API keys and cryptographic keys. The repos in question are public, so anyone can use the keys to take over the accounts. Here is the full report, and a quick summary in ZDNet.

GitHub is working on their Token Scanning tool to somewhat mitigate the issue. However, the tool only checks a few token formats for the most widely used services: AWS, Azure, GCloud, GitHub, Slack, and Stripe.

Kubernetes is also working on improving their storage for secrets. It is already in its alpha form in version 1.13, with the release planned for v1.16. The improvements include:

  • No more forever tokens.
  • No secrets in environments.
  • Keys auto-expire on pod restarts.
  • Tokens are bound to specific services.

Business Impact

Here’s an example of how lack of API security can damage your business, again from Down Under. In Australia, Uber reportedly used unprotected APIs of a local rival, GoCatch, that gave information about the drivers and their location. Uber collected the information, contacted the drivers, and lured them away from the competitor into their own ranks.

Tech 101

Here’s a great educational video about SQL injections by Computerphile. He is using a PHP site as an example. However, everything he shows equally applies to REST interface parameters and JSON payloads as well. Lock down, sanitize, and escape your inputs!


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy