New APP threat: Intercepting API requests between connected-car app on mobile device and services on back-end server

[sdog-mitre]

On behalf of Prashanth Thandavamurthy of Arxan Technologies, Inc.

New Threat

Threat Category: Application: Vulnerable Application

Threat: Inspecting, intercepting and controlling API requests between connected-car app running on mobile device and the services running on the back-end server.

Threat Origin: Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs

https://www.troyhunt.com/controlling-vehicle-features-of-nissan/

Exploit Example: None

CVE Example: None

Possible Countermeasures:

1. Follow secure coding guidelines
2. Protect API from reverse-engineering and code tampering/modification attacks
3. Use cryptographic key protection solution such as Whitebox Cryptography to ensure - a. Cryptographic keys are not discovered at any time, and are not present in static form or in runtime memory b. Data is protected at rest, in transit and in-use
4. Leverage vulnerability/penetration testing and ensure that known risks – including those identified in the OWASP mobile top 10 list, in particular, are addressed

References: None

[sdog-nist]

We feel the more general case of the threat you describe is already covered by APP-10: Poorly implemented cryptography in mobile apps. This includes issues such as hard-coding cryptographic keys (including in obfuscated form, such as via white-box cryptography) and the use of weak or untested cryptographic algorithms to protect sensitive data or other secrets.

The Mobile Threat Catalogue is intended to be sector-agnostic, and therefore will not presently include threats to connected sector-specific devices, such as vehicle systems.