This week, we focus on automotive cybersecurity. Guest contributor Ling Cheng of VicOne shares the security benefits of the Pwn2Own Automotive event. We explore Sam Curry’s success uncovering API flaws at Subaru; car hacking as a career choice; and CISA director Jen Easterly’s case for secure design, inspired by automotive safety. In February, I’ll chat with automotive cybersecurity expert Darren Shelcusky for his insights about API security and DevSecOps for the connected vehicle ecosystem.
Industry News: Pwn2Own contest enhances automotive security
By guest contributor Ling Cheng, Sr. Product Marketing Manager at VicOne Inc.
As software-defined vehicles (SDVs) become more prevalent, concerns over vulnerabilities and the risks of cyberattacks are increasing. By identifying zero-day vulnerabilities through contests like Pwn2Own Automotive, VicOne aims to strengthen security measures, promote cyberattack prevention, and lay the foundation for the future of vehicle security. These events allow zero-day vulnerabilities to be identified early, before they circulate in underground markets, enabling swift countermeasures to mitigate damage and enhance product security.
This is why VicOne’s collaboration with Trend Micro’s Zero Day Initiative (ZDI) vulnerability research community, to host Pwn2Own Automotive is so impactful. World-class security researchers conduct real-world testing of the latest automotive technologies to uncover zero-day vulnerabilities before they can be exploited. In just three days, 49 unique zero-day vulnerabilities were identified— exceeding the total discovered in 2023. By bringing these issues to light, Pwn2Own Automotive plays a key role in improving cybersecurity and building safer, more resilient vehicles. As the industry evolves, proactive risk management like this must be a priority for every automaker.
Read our blog for firsthand insights on the discoveries made during these three days.
- Day 1: 16 automotive zero day vulnerabilities uncovered read more
- Day 2: Tesla EV charger exploits take the spotlight read more
- Day 3: New master of Pwn crowned and other day three highlights read more
Article: Vehicle cybersecurity skills are in demand
Vehicle electrification and connectivity are in high demand, with projections showing that by 2030, “95 percent of new vehicles sold globally will be connected”. However, this connectivity also expands the attack surface and increases the risks to vehicle owners from cyber attacks.
Meanwhile, regulations such as the US Cybersecurity Improvement Act and UNECE WP.29 in Europe are driving the need for automotive cybersecurity experts. In his article, CISO Luciano Ferrari makes the case for upskilling in vehicle hacking techniques as a critical career path.
Another key area offering a path into the automotive industry is API security, essential for safeguarding connected vehicles. With APIs now pervasive across the automotive ecosystem, skills in secure API design and development are crucial to preventing unauthorized access and cyber threats, and protecting drivers and their connected vehicles.
Vulnerability: Researchers exploit API design bugs at Subaru
Security researchers Sam Curry and Shubham Shah recently discovered critical API vulnerabilities in an employee website of automobile manufacturer Subaru. These flaws allowed unauthenticated users to remotely control vehicles in the United States, Japan, and Canada.
The attack leveraged two key API vulnerabilities. The first step involved identifying a valid Subaru employee email address. These could be guessed with a simple LinkedIn search, but verification was possible through an auth API endpoint that returned an error message if the address was invalid, but a different response if it was valid. This behavior enabled attackers to systematically guess email addresses until they found one that was valid, a classic account enumeration vulnerability. OWASP provides useful guidelines for error messages.
Once a valid employee email address was identified, the researchers exploited a second flaw: the password reset endpoint. This endpoint allowed attackers to request a password reset for any registered email address without requiring any user verification.
This vulnerability is another well-documented security issue flagged in OWASP guidelines: “In order to allow a user to request a password reset, you will need to have some way to identify the user”.
By exploiting these two vulnerabilities, the researchers obtained employee credentials, granting them access to the Subaru employee portal. From there, they gained remote administrator privileges over customer vehicles.
Basic security controls can be defined during the API design phase and documented as part of the development lifecycle. Security teams can use the documentation as a foundation for testing and validating API security before deployment. Such collaboration between security and development can help to prevent blatant security vulnerabilities in production APIs.
Article: What vehicle safety can teach us about API security
In her article “Building a Secure by Design Ecosystem”, CISA Director Jen Easterly draws parallels between the evolution of automotive safety in the 1960s and the current state of software security, noting that we are in the “before seat belts” era of software development.
Much like the auto industry’s shift to safety features like seatbelts and anti-lock brakes to prevent accidents, Easterly argues that the software industry must prioritize secure design principles to prevent vulnerabilities. Drawing from her own software development experience at the US Army, the Intelligence community and Morgan Stanley, she reports the “undeniable” results from investing in secure software design and development practices.
“We don’t have a cybersecurity problem; we have a software quality problem”
Strict regulations for functional safety govern the development of automotive software, with the goal of minimizing bugs and producing high quality and predictable (i.e. safe) software. That outcome is achieved through mandated software engineering practices like requirements verification, traceability, and testing.
The same principles apply to API security. The vulnerabilities and preventive practices are well documented. The challenge now is embedding security into the fabric of API development, from the first line of code to deployment, making it, as Easterly puts it, “a core identity for software developers.”
Webinar: API Security for the Connected Vehicle Ecosystem
I’m thrilled to connect with automotive cybersecurity expert Darren Shelcusky to explore his deep expertise and valuable insights on successfully driving API security and DevSecOps programs in the automotive industry. Register
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy