2020 Predictions: APIs Become a Focus of IoT Security

According to a cybersecurity expert, API security will be a priority as API-based IoT attacks surge in 2020.

Brian Buntz

December 21, 2019

3 Min Read
System Integration with Digital Platform Network TechnologyGetty Images

Last year, the folks behind the Open Web Application Security Project released a series of 10 IoT security vulnerabilities. Midway through the list was the “Use of Insecure or Outdated Components,” which range from third-party software to hardware components. 

One commonly used software component, application programming interfaces, pose a significant cybersecurity risk, according to Jonathan DiVincenzo, vice president of product management at Signal Sciences. (Well-known for its top-ten lists, the non-profit OWASP organization maintains a separate list of API vulnerabilities.)

“Attacks on APIs will increase in 2020,” DiVincenzo predicted, pointing to IoT security as a potential target area. “With connected devices in today’s IoT landscape becoming ubiquitous, companies need to be monitoring a broader attack surface area.” 

A series of predictions from Security Boulevard also includes a projection that “API abuses will become an even more prominent vector for data breaches within enterprise applications.” The same article also projects that end users will take a greater interest in IoT security in 2020. 

APIs are an attractive target from an attacker’s perspective, given the expansive access APIs developers grant to them. A loophole in a Facebook API famously gave Cambridge Analytica access to a treasure trove of user data. Ultimately, that loophole played a role in exposing sensitive data of 87 million people.  

Last year, Brian Krebs reported that Panera Bread’s website leaked data from as many as 37 million customers resulting from an API vulnerability. The customers’ data was leaked online in plain text for eight months, according to CSO Online

“[M]ore than 140 airlines had customer information compromised because the booking system allowed anyone to access passenger records just by changing an identifier in the URL,” DiVincenzo said.  

“Unsecured APIs can lead to exposure of massive information loads, from airline ticketing to online ordering,” DiVincenzo said. “Breaches of unsecured APIs can pose a real threat as they can interact with corporate networks for reconnaissance or as a jumping-off point for an attack.” 

There’s a cybersecurity truism that holds that convenience is an enemy of security. That conclusion is undoubtedly correct when it comes to the careless use of APIs. Inadequate visibility into API deployments is commonplace, according to a 2018 Ping survey.  

Yet many developers leveraging APIs are unconcerned about their API security. A survey from the API development vendor Postman found that nearly three-quarters of respondents in a felt their APIs had above-average security or higher. The research also found a growing number of non-developers deploying APIs. 

An API test suite is included as part of Arm’s Platform Security Architecture, which also provides a third-party lab evaluation component.  

API users without significant grounding in security contribute to cyber-risk, but another hurdle is that many network monitoring security products are poorly equipped to keep tabs on APIs. “[T]hey can be a source of significant false positives, or conversely, when such alerts are ignored, a potential place to hide attacks,” DiVincenzo said. “Companies will need to increase their business spend in the coming year to mitigate the heightened risk of API-based IoT attacks.”

About the Author(s)

Brian Buntz

Brian is a veteran journalist with more than ten years’ experience covering an array of technologies including the Internet of Things, 3-D printing, and cybersecurity. Before coming to Penton and later Informa, he served as the editor-in-chief of UBM’s Qmed where he overhauled the brand’s news coverage and helped to grow the site’s traffic volume dramatically. He had previously held managing editor roles on the company’s medical device technology publications including European Medical Device Technology (EMDT) and Medical Device & Diagnostics Industry (MD+DI), and had served as editor-in-chief of Medical Product Manufacturing News (MPMN).

At UBM, Brian also worked closely with the company’s events group on speaker selection and direction and played an important role in cementing famed futurist Ray Kurzweil as a keynote speaker at the 2016 Medical Design & Manufacturing West event in Anaheim. An article of his was also prominently on kurzweilai.net, a website dedicated to Kurzweil’s ideas.

Multilingual, Brian has an M.A. degree in German from the University of Oklahoma.

Sign Up for the Newsletter
The most up-to-date news and insights into the latest emerging technologies ... delivered right to your inbox!

You May Also Like