TL;DR: API incidents now account for 17% of all attacks in connected mobility, 92% are remote, and more than 60% affect thousands to millions of assets, according to Upstream Security’s 2025 report. The pattern shows API governance has become operational resilience work, not just application hardening.
NHIMG editorial — based on content published by Upstream Security: Connected Vehicle Cybersecurity Mobility API Security, When API Security Fails, Mobility Breaks
By the numbers:
- The 2025 report shows API incidents now account for 17% of all attacks, ahead of infotainment as an entry point.
- The report says 92% of automotive cyberattacks are remote.
- 60% of incidents impact thousands to millions of, illions of assets.
Questions worth separating out
Q: What breaks when API authentication is weak in connected mobility systems?
A: When API authentication is weak, attackers can impersonate legitimate users or services and reach actions the interface was never meant to expose.
Q: Why do exposed API keys create outsized risk in mobility ecosystems?
A: Exposed API keys are reusable non-human credentials, so one leak can support automated abuse across many systems before detection or rotation occurs.
Q: How do security teams know an API trust model is failing?
A: An API trust model is failing when small identifier mistakes or exposed credentials lead to cross-asset access, data returned beyond the caller’s role, or actions that affect physical systems.
Practitioner guidance
- Map API credentials to non-human identities Inventory every API key, token, certificate, and service credential that can influence vehicle, charging, or AI services.
- Enforce object-level authorization on high-impact endpoints Test endpoints that bind accounts to VINs, devices, charging sessions, or model assets for broken object-level authorization.
- Reduce blast radius with narrow scopes and rapid revocation Issue credentials with the smallest feasible scope, separate read and write access, and revoke immediately when an integration changes ownership or purpose.
What's in the full article
Upstream Security's full article covers the operational detail this post intentionally leaves for the source:
- Incident-by-incident breakdown of the 2025 mobility API failures and how each one was exploited
- Discussion of how vehicle portals, charging APIs, and AI-related exposure patterns differ in practice
- Context on the report’s broader automotive threat findings and ecosystem-scale implications
- The vendor’s framing of live digital twins and fusion detection across IT, OT, and IoT
👉 Read Upstream Security's analysis of API security failures in connected mobility →
API security in connected mobility: what it means for resilience?
Explore further
API security in mobility is a non-human identity problem as much as a software problem. The article’s examples involve credentials, tokens, and service access paths that behave like NHIs even when the vendor framing stays at the application layer. That matters because unmanaged API identities create standing trust that attackers can reuse across vehicles, chargers, apps, and AI services. The governance issue is not just whether an API exists, but whether its identity, scope, and lifecycle are controlled. Practitioners should manage API credentials as privileged machine identities, not as incidental implementation details.
A question worth separating out:
Q: Who is accountable when an API flaw allows vehicle or charging abuse?
A: Accountability usually spans product security, platform engineering, and the business owner of the connected service, because API governance cuts across technical and operational ownership. Where personal data or regulated services are involved, access logging, authorization design, and incident response obligations also create compliance exposure. Clear ownership is part of the control, not a post-incident formality.
👉 Read our full editorial: API security failures are now a mobility resilience problem