T-Mobile knowledge breach reveals API safety cannot be ignored

Enterprise safety isn’t straightforward. Small oversights round methods and vulnerabilities may end up in knowledge breaches that impression hundreds of thousands of customers. Unfortunately, one of the vital widespread oversights is within the realm of APIs. 

Just yesterday, T-Mobile revealed {that a} risk actor stole the private data of 37 million postpaid and pay as you go buyer accounts by way of an uncovered API (which they exploited between November 25, 2022 and January 5, 2023). The vendor didn’t share how the hackers exploited the API. 

This incident highlights that API safety must be on the prime of the agenda for CISOs and organizations in the event that they need to safeguard buyer knowledge from falling into the flawed palms. 

The development of API exploitation 

With cloud adoption rising dramatically over the previous few years, analysts have lengthy warned enterprises {that a} tidal wave of API exploitation has been brewing. Back in 2021, Gartner predicted that in 2023, API abuse would transfer from rare to probably the most frequent assault vector. 

These predictions seem like correct, with analysis exhibiting that 53% of safety and engineering professionals reported their organizations skilled a knowledge breach of a community or app on account of compromised API tokens. 

In addition, only a month in the past, hackers uncovered the account and electronic mail addresses of 235 million Twitter customers after exploiting an API vulnerability initially shipped in June 2021, which was later patched. 

As risk actors look to use APIs extra typically, organizations can’t afford to depend on legacy cybersecurity options to guard this huge assault floor. Unfortunately, upgrading to up-to-date options is less complicated stated than accomplished. 

“Unauthorized API access can be extremely difficult for organizations to monitor and investigate — especially for enterprise companies — due to the sheer volume of them,” stated Chris Doman, CTO and cofounder of Cado Security. 

“As more organizations are moving data to the cloud, API security becomes even more pertinent with distributed systems,” Doman stated. 

Doman notes that organizations trying to insulate themselves from incidents like T-Mobile skilled must have “proper visibility” into API entry and exercise past conventional logging. 

This is vital as a result of logging could be sidestepped — as was the case with a vulnerability in AWS’ APIs that allowed attackers to bypass CloudTrail logging. 

How unhealthy is the T-Mobile API knowledge breach? 

While T-Mobile has claimed that the attackers weren’t capable of entry customers’ cost card data, passwords, driver’s licenses, authorities IDs or social safety numbers, the knowledge that was harvested gives ample materials to conduct social engineering assaults. 

“Although T-Mobile has publicly disclosed the severity of the incident, alongside its response — cutting off threat-actor access via the API exploit — the breach still compromised billing addresses, emails, phone numbers, birth dates and more,” stated Cliff Steinhauer, director of data safety and engagement at NCA. 

“It’s basic information, but just enough to map out and execute a convincing enough social engineering campaign that can strengthen bad actors’ capacity for new attacks,” Steinhauer stated. 

These assaults embrace phishing assaults, identification theft, enterprise electronic mail compromise (BEC) and ransomware.

Why do API breaches occur?

APIs are a primary goal for risk actors as a result of they facilitate communication between completely different apps and providers. Each API units out a mechanism for sharing knowledge with third-party providers. If an attacker discovers a vulnerability in one among these providers, they’ll achieve entry to the underlying knowledge as a part of a man-in-the-middle assault. 

There is a rise in API-based assaults — not as a result of these parts are essentially insecure, however as a result of many safety groups don’t have the processes in place to establish and classify APIs at scale, not to mention remediate vulnerabilities.

“APIs are designed to provide ready access to applications and data. This is a great benefit to developers, but also a boon for attackers,” stated Mark O’Neill, VP analyst at Gartner. “Protecting APIs starts with discovering and categorizing your APIs. You can’t secure what you don’t know.”  

Of course, inventorying APIs is simply the tip of the iceberg; safety groups additionally want a method to safe them. 

“Then it involves the use of API gateways, web application and API protection (WAAP), and application security testing. A key problem is that API security falls into two groups: engineering teams, who lack security skills, and security teams, who lack API skills.” 

Thus, organizations must implement a DevSecOps-style strategy to raised assess the safety of purposes in use (or in improvement) inside the setting, and develop a method to safe them. 

Identifying and mitigating API vulnerabilities 

One approach organizations can begin to establish vulnerabilities in APIs is to implement penetration testing. Conducting an inside or third party-led penetration check can assist safety groups see how susceptible to exploitation an API is, and supply actionable steps on how they’ll enhance their cloud safety posture over time.

“For all types of software, it’s vital that companies use updated code and check the security of their systems, e.g., by arranging penetration testing — a security assessment that simulates various types of intruders … the goal of which is to elevate the current privileges and access the environment,” stated David Emm, principal safety researcher at Kaspersky.

In addition, it’s a good suggestion for organizations to put money into incident response, so if an API is exploited, they’ll reply shortly to restrict the impression of the breach.

“To be on the safe side when a company is faced with an incident, incident response services can help minimize the consequences, in particular by identifying compromised nodes and protecting the infrastructure from similar attacks in the future,” Emm stated.

The function of zero belief 

Unauthenticated, public-facing APIs are prone to malicious API calls, the place an attacker will try to connect with the entity and exfiltrate all the information it has entry to. In the identical approach that you simply wouldn’t implicitly belief a consumer to entry PII, you shouldn’t robotically belief an API both.  

That’s why it’s important to implement a zero belief technique, and deploy an authentication and authorization mechanism for every particular person API to forestall unauthorized people from accessing your knowledge. 

“When you have sensitive data (in this case customer phone numbers, billing and email addresses, etc.) sprawled across databases, mixed with other data, and access to that data not properly managed, these types of breaches are hard to avoid,” stated Anushu Sharma, co-founder and CEO of Skyflow. 

“The best-run companies with the most sensitive data know that they must adopt new zero-trust architectures. Bad actors are getting smarter. Adopting new privacy technology isn’t an option anymore, it’s table stakes,” Sharma stated.

Combining entry management frameworks like OAuth2 with authentication measures akin to username and password and API keys, can assist implement the precept of least privilege and make sure that customers have entry solely to the knowledge they should carry out their function.