Nissan Leaf's Naked APIs
This week the popular Nissan Leaf was in the headlines, but not in a good way. Security researchers Scott Helme and Troy Hunt demonstrated how any Leaf can be easily hacked. The duo hacked into Helme’s Leaf with little more than its vehicle identification number, as described on Hunt’s blog.
In Nissan’s case, shortcuts taken on API infrastructure produced a very bad outcome, and raises a lot of questions. What’s the brand damage to Leaf and Nissan? How much customer trust and goodwill has been lost? How much employee time will be squandered fixing the problem, answering questions, doing root cause analysis, reviewing procedures, assigning blame, and dealing with lawyers?
On the one hand you have to applaud Nissan. Car owners want the convenience of being able to control and monitor car functions via their mobile devices and Nissan built an app for Leaf owners—the company is executing a digital strategy.
On the other hand, clearly anyone providing a mobile app needs to think about securing the underlying APIs that app is built on! Building an app on naked APIs is hardly a sound strategy.
If you provide APIs for consumer experiences, you should ask yourself:
- How do you protect your backend from misuse and abuse?
- How do you identify clients? Authenticate and authorize use?
- What kind of rate limiting do you need? How do you prevent your system from being overrun?
- Do you have visibility into your API traffic and usage?
- Can you quickly detect automated (bot) attacks on your APIs—and stop them?
There’s a lot to consider, and if you have multiple APIs (the average app uses six) you have to ensure that you have visibility, control, and security across all of them.
Who owns API security, and how much is enough? Join the conversation on the Apigee Community.