Dear car vendors,
As it happens I am reading more often about cars that can be controlled by API’s. First I thought that’s cool. And actually, it is cool! Being able to build, or at least, use an app that enables me to select a welcome song that my car plays when I open the door or that unlocks the doors because I am getting close to the car sounds like a lot of fun.
Unfortunately I am reading even more often that these API’s are not secure! That almost anybody, not only myself, can control my car via those API’s. That those API's even return required credentials if they were missing in a request.
That is not acceptable!
I am not sure if you, car vendors, use that technology yourself in your private life. Or if you are too afraid to do so. I am! And that is why I like my very basic Hyundai Elantra so much: no API’s == secure! (what a depressing statement! But it seems to be correct for many connected cars).
The latest news I read was about Nissan LEAF:
As a software architect, who is building secure API’s on top of reliable products (Features | CA Mobile App Services ), it is difficult to understand why this happens again and again. Why are API’s in cars often insecure? Why is there no awareness that insecure API’s are bad?
These are my theories:
- car vendors are no software engineers and therefore they do not understand the technology
- car vendors believe that keeping an API definition secret makes it secure
- car vendors are too proud to ask experts on API design for help
- car vendors believe that only their app can send a request to the car’s API
- car vendors categorize API's as cost center but not as profit center and therefore invest as little as possible
- car vendors try to be early adopters of technologies although they do not know what they are doing
This is what I think you should do, dear car vendors:
- hire experienced software engineers
- add a piece of hardware to your cars, a HSM (https://en.wikipedia.org/wiki/Hardware_security_module)
- add a policy based API gateway to your cars. Even if it is just ‘simple’
- do not mix API’s for reading data and controlling the car
Once you have all of that in place use well known technologies such as OAuth, OpenID Connect, JSON Web Token and PKI to build API’s.
You will suddenly have API’s that are secure, well documented, you can provide open source SDK’s and build a developers community around them. You will be cool and hip!
And the best of it all:
No news about insecure API’s! Because there are none!