Insecure APIs lead to breaches at T Mobile, Automakers, lack of API leads to lost list at TSA
2–6–2023 (Monday)
Hello and welcome to Cyber Risk at Deal Speed, your weekly video update on the one big thing in cybersecurity for private equity investors and portfolio company management teams.
I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
Today is Monday February 6th, and it’s starting to feel like Spring might finally arrive - but not soon enough.
This week’s One Big Thing is the double-edged sword of deploying powerful tools like an API as part of a tech transformation or new functionality roll out. Like any powerful tool, in the right hands, it can delivery tremendous results, but it can also be quite risky.
Let’s dive in.
APIs Gone Awry: T-Mobile, Car Makers, and More
We’ve seen a rash of attacks and breaches lately driven by hackers exploiting improperly implemented or improperly secured API endpoints.
APIs - which stands for Application Programming Interface - are a way to make data available to applications at rapid speed and large scale, and are a cornerstone of modern application architectures.
That said, while APIs are incredibly powerful, they are also a double-edged sword, and implementing them securely is critical.
In T-Mobile’s case, an attacker had unauthorized access to an API that was able to return data including “name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features.”
Worse still, the attacker was able to operate against this api for nearly two-months, indicating that not only did T-Mobile improperly secure the API endpoint, but their monitoring capability for malicious or anomalous activity was clearly insufficient.
They aren’t the only ones learning hard lessons about API security, either.
Another recent announcement by security researcher Sam Curry demonstrated that many of the world’s largest auto manufacturers were also exposing too much data via their API deployments.
His research shows how vehicles from Kia, Honda, Infiniti, Nissan, Acura are vulnerable fully remote account takeover and PII disclosure via just a VIN number (name, phone number, email address, physical address).
Other manufacturers had a range of issues, as well, including Mercedes-Benz, BMW, Rolls Royce, Ferrari, and Ford - and the underlying infrastructure provided by SiriusXM’s Connected Vehicle telematics platform.
In short, if you’re not confident that your team can build, deploy, and maintain an API securely, seek out additional support. There’s a significant difference between an API working and an API working securely.
Best practices around authentication, avoiding direct object references, etc. are critical, and you should ensure you are robustly testing these tools during your build/deploy lifecycle and closely monitoring your endpoints to spot abuse or malicious activity.
Finally - lest this become an anti-API rant, the story about the US Government’s “No Fly List” being stolen from regional airline CommuteAir and leaked on the hacker forums is a counterpoint - a case FOR using an API.
Ideally, the TSA would’ve maintained a single source of data that would use an API to allow airlines and reservation makers to query the No Fly List as needed. Instead, they simply compile the whole list as a text file and share it around to all the airlines, one of which lost it and now it’s in the wild with every single name on it. Not great.
As with most things in technology, there are risks - but those risks need to be managed to ensure you’re reaping the rewards. APIs are no exception.
Fundraising
Very strong week of fundraising, turning in more than $26B in newly committed funds, and putting the January total close to $100B.
We’re also seeing more (and higher) bids for take-privates of public tech companies, something that I think we will see continue to accelerate with this dry powder in combination with depressed market caps.
You can find all the links to the stories we covered below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next Monday for another edition of Cyber Risk at Deal Speed.
Links