This week, we check out the API vulnerabilities in the Mercedes-Benz connected cars and the Russian inter-bank money transfer system. We also have the upcoming ASC 2020 conference next week, as well as a recording of IIoT Cybersecurity panel discussion from the recent IIoT World event.

Vulnerability: Mercedes-Benz car control

The conference Black Hat USA has posted the slides and the full research paper from the session “Security Research on Mercedes-Benz: From Hardware to Car Control” by Minrui Yan, Jiahao Li, and Guy Harpak. Too bad there’s no video recording.

Researchers got access to the backend intranet through the eSIM of a Mercedes-Benz E-Class connected car. To get connected, they had to reuse the APN settings, spoof IMEI numbers, and locate and reuse certificates. However, once they got through these hurdles and managed to established the connection, they found that the APIs themselves were not protected at all.

The researchers could issue commands to any cars of the same model in the same region (China in this case, so estimated 2 million connected cars), such as:

• Locking or unlocking doors
• Opening or closing the roof
• Switching lights on or off
• Making the car beep
• Starting or stopping the engine (limited)

Quite a list of things, then. Lessons learned here:

• Never trust the API client: no matter how protected your client and network are, there is a chance that someone breaks through.
• Always implement both authentication (to prevent unauthorized access once attackers found your API) and authorization (to prevent IDOR/BOLA style scope expansion like in this case).

Vulnerability: Russian Inter-Bank Transfer System

The Russian inter-bank money transfer system got hacked through the mobile app of one of the member banks.

Attackers located the vulnerable API by proxying the calls. They found that they could simply replace the source account ID parameter in money transfer calls and the backend would transfer the money, without checking whether the source account belonged to the person invoking the API.

So, how did the attackers get valid account IDs in the first place, then? To make things worse, there was another API endpoint that allowed attackers to enumerate accounts in the bank, creating a list of possible victims.

Unfortunately, the attack was identified only after the vulnerability had already been exploited, and Russian Central Bank had to send banks a warning about the attack. The story (unfortunately in Russian, so you might need Google Translate) does not contain the details on how many accounts got compromised or the total volume of funds stolen.

Storyline from a heist movie, this one. Lessons learned:

• API1:2019 — Broken object level authorization remains one of the most frequent and the most dangerous vulnerability. Implement resource-level authentication in your APIs, and prevent enumerations!

#security #integration #api #cybersecurity #apis #api security #newsletter #api vulnerabilities