2020 Predictions: APIs Become a Focus of IoT Security

Last year, the folks behind the Open Web Application Security Project released a series of 10 IoT security vulnerabilities. Midway through the list was the “Use of Insecure or Outdated Components,” which range from third-party software to hardware components. 

One commonly used software component, application programming interfaces, pose a significant cybersecurity risk, according to Jonathan DiVincenzo, vice president of product management at Signal Sciences. (Well-known for its top-ten lists, the non-profit OWASP organization maintains a separate list of API vulnerabilities.)

“Attacks on APIs will increase in 2020,” DiVincenzo predicted, pointing to IoT security as a potential target area. “With connected devices in today’s IoT landscape becoming ubiquitous, companies need to be monitoring a broader attack surface area.” 

A series of predictions from Security Boulevard also includes a projection that “API abuses will become an even more prominent vector for data breaches within enterprise applications.” The same article also projects that end users will take a greater interest in IoT security in 2020. 

APIs are an attractive target from an attacker’s perspective, given the expansive access APIs developers grant to them. A loophole in a Facebook API famously gave Cambridge Analytica access to a treasure trove of user data. Ultimately, that loophole played a role in exposing sensitive data of 87 million people.  

Last year, Brian Krebs reported that Panera Bread’s website leaked data from as many as 37 million customers resulting from an API vulnerability. The customers’ data was leaked online in plain text for eight months, according to CSO Online. 

“[M]ore than 140 airlines had customer information compromised because the booking system allowed anyone to access passenger records just by changing an identifier in the URL,” DiVincenzo said.  

“Unsecured APIs can lead to exposure of massive information loads, from airline ticketing to online ordering,” DiVincenzo said. “Breaches of unsecured APIs can pose a real threat as they can interact with corporate networks for reconnaissance or as a jumping-off point for an attack.” 

There’s a cybersecurity truism that holds that convenience is an enemy of security. That conclusion is undoubtedly correct when it comes to the careless use of APIs. Inadequate visibility into API deployments is commonplace, according to a 2018 Ping survey.  

Yet many developers leveraging APIs are unconcerned about their API security. A survey from the API development vendor Postman found that nearly three-quarters of respondents in a felt their APIs had above-average security or higher. The research also found a growing number of non-developers deploying APIs. 

An API test suite is included as part of Arm’s Platform Security Architecture, which also provides a third-party lab evaluation component.  

API users without significant grounding in security contribute to cyber-risk, but another hurdle is that many network monitoring security products are poorly equipped to keep tabs on APIs. “[T]hey can be a source of significant false positives, or conversely, when such alerts are ignored, a potential place to hide attacks,” DiVincenzo said. “Companies will need to increase their business spend in the coming year to mitigate the heightened risk of API-based IoT attacks.”