Open sdog-mitre opened 8 years ago
We feel the more general case of the threat you describe is already covered by APP-10: Poorly implemented cryptography in mobile apps. This includes issues such as hard-coding cryptographic keys (including in obfuscated form, such as via white-box cryptography) and the use of weak or untested cryptographic algorithms to protect sensitive data or other secrets.
The Mobile Threat Catalogue is intended to be sector-agnostic, and therefore will not presently include threats to connected sector-specific devices, such as vehicle systems.
On behalf of Prashanth Thandavamurthy of Arxan Technologies, Inc.
New Threat
Threat Category: Application: Vulnerable Application
Threat: Inspecting, intercepting and controlling API requests between connected-car app running on mobile device and the services running on the back-end server.
Threat Origin: Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs
https://www.troyhunt.com/controlling-vehicle-features-of-nissan/
Exploit Example: None
CVE Example: None
Possible Countermeasures:
References: None