This article was originally published on Linkedin…
A man walks up to a car, but doesn’t have the keys to the car. Not a problem. He takes out his mobile phone and clicks on an App that he wrote which invokes device APIs to unlock the car. Then he clicks on another function in the App to start the car and drives away. Does this sound like a convenience you would like? Well, I forgot to mention one important thing – the man does not own the car.
ZDNet recently wrote an article titled, “Nissan Leaf hackable through insecure APIs”. The article points out that the insecure APIs were not to unlock or start the car, but for less critical functions dealing with climate control and battery charge. However, I took license to exaggerate the possible implications of insecure APIs in automobiles.
The situation is not limited to automobiles. Directly accessible APIs access a security camera in a bank to cause it to shut off, pan in a different direction or otherwise not capture a crime that is being committed. Clearly I have watched too many bad movies.
Device interaction through APIs is one of the primary use cases for APIs and one that will grow exponentially over the coming years. In many cases, the APIs might be harmless and an openly accessible API to the device from any source might make sense. Understanding how much battery life there is in the Nissan Leaf doesn’t seem to be something too dangerous. But, perhaps it is possible that someone might come up with an inappropriate use of this information.
On the other hand, unlocking car doors, starting the car, issuing commands to security cameras, and many other scenarios need security for the API. First I would make the argument that if you have an API to a device, even if it is not documented, someone will find it. So, I would suggest that for sensitive security situations obscurity is not a solution. I have spoken to device manufacturers who were planning to use a Bluetooth connection from a mobile phone to communicate with the device APIs. Again, not a good approach as the Bluetooth connection can be used by others without proper authentication and authorization.
So, how should the API be secured? To continue please see the article on Linkedin…
To understand more about IBM’s thoughts on the API Economy visit the IBM API Economy website. IBM API Connect is IBM’s complete foundation to Create, Run, Manage, and Secure APIs. You can find more information about IBM API Connect at the API Connect website. And you can also download a trial version of API Connect.
If you have questions, please let me know. Connect with me through comments here or via twitter @Arglick to continue the discussion.