A third party is draining your whole fleet through your own API — and every IP it shows you is a decoy.
A connected-vehicle security lead put his single largest unsolved problem to us plainly: third parties reverse-engineer your connected-car API — increasingly with AI — phish your customers for their companion-app credentials, and connect to your telematics backend with no contract. Then they scrape and resell whole-fleet data. It's a GDPR and EU-Data-Act exposure, and it's invisible at the network layer: a real customer is one IP to one car; the abuser is one operator to thousands, steals genuine sessions so it passes every auth check, and rotates egress across Amazon, Google and Azure so all your VSOC ever logs is a meaningless last IP.
whisper verify --trustless — anchored at the IANA DNS root. Our own API is not in the trust path.
The abuse that no rate-limit, no WAF, and no last IP will ever catch.
It isn't a breach. Your API is used exactly as it was built — at fleet scale, by an operator who was never your customer and never signed a contract.
“Third parties reverse-engineer our connected-car API, phish customers for their app logins, and pull whole-fleet data off the telematics backend with no agreement in place. We can't tell them from a real driver at the network layer — and when we try to block them, the IP is already gone. Solve this and you're in a very good niche.”
Not breached — rebuilt
The V2C API is mapped from the companion app and increasingly reconstructed by AI. Nothing is exploited yet; the endpoints are simply used as designed.
It passes every auth check
Phished app credentials or a hardcoded key lifted from a dealer-portal bundle yield genuine sessions. Auth says yes. There is no commercial agreement anywhere behind it.
Then the IP dissolves
Low-and-slow VIN enumeration under every rate limit — then egress hops Amazon → Google → Azure, or a residential-proxy swarm. Your VSOC correlates a fresh last IP and nothing else.
Concretely, and at the class level: the API they call is your app's API, because it is your app's protocol. A third party reverse-engineers the connected-car companion app until it holds the exact calls the official app makes, then authenticates the same ways your own app does — a phished owner login, a static API-key header lifted from the app bundle, or an OAuth bearer token that is portable to any IP. From there it is contract-less, long-lived polling: a request every few minutes, streams held open — indistinguishable from a real handset because it is the handset's protocol. This isn't theoretical: public reverse-engineered clients for a major European connected-car backend already circulate. The root cause has a name — OWASP broken authentication / BOLA: the token, key or password authenticates a claim, never the machine on the other end.
This is invisible by design: a legitimate driver is one IP to one car; the abuser is one operator to thousands, holding valid credentials and showing you a disposable address every few requests. Whole-fleet telematics resale is not hypothetical — two data brokers reached billions of harvested vehicle-data points, and litigation, before both collapsed in 2024. That makes it a GDPR and EU-Data-Act incident, not only a security one.
Stop detecting the abuse. Prove the identity.
Detection will always be a step behind a credential that is genuinely valid. You can tune models forever and the abuser still looks exactly like a customer — because, to your backend, they are one. The only strictly-stronger move is to change what the backend trusts.
A session token, an API key, a cookie — whoever holds it can present it. That is the whole problem in one line: the credential does not prove which car is on the other end, so a stolen one is indistinguishable from the real thing, and the source IP that might have narrowed it down is disposable.
Tomorrow · the backend authorizes a car that proves itself. Bind authority to an identity the car holds and can demonstrate cryptographically, not a secret anyone can copy. Now a request either proves it is the car it claims to be, or it has no authority at all — before a single detection rule runs. Detection stops being the last line of defense and becomes a bonus.
That identity already has a home on the network you run: an address. Here is how the car's own key becomes an address no one can forge.
The key already in the car becomes an address only that car can prove.
Whisper has one primitive: the address is the identity. A routable IPv6 /128 out of 2a04:2a01::/32 (announced by AS219419), deterministically derived from a key, DNSSEC-anchored, DANE-EE pinned, RDAP/WHOIS-registered — re-derivable and verifiable by anyone with dig.
Point it at the car. Derive each vehicle's — or each ECU's — /128 from the hardware key it already holds: the secure element, the TPM, the IEEE 802.1AR IDevID, with the VIN or ECU serial as the domain separator. The private key never leaves the secure element; the address is a one-way function of its public half and the VIN. The V2C backend then authorizes on the car's pinned identity, not a stealable token — no bespoke CA trust store to push to every vehicle, and revocation at DNS-TTL speed instead of CRL/OCSP soft-fail.
"1 IP → thousands of cars" becomes physically impossible
You cannot present thousands of car-identities whose keys you don't hold. Every forgery is a DNSSEC/DANE inconsistency any verifier catches.
IP rotation becomes irrelevant
Identity is not the source IP. The "last IP" was never the credential — so rotating it, across clouds or residential proxies, changes nothing.
Stolen sessions fail
The aggregator's server doesn't hold the car's per-/128 leaf key. A valid-looking token with no key behind it authenticates to nothing.
One revoke kills a compromised car worldwide
At DNS-TTL speed: dig -x returns nothing; verify returns false. No fleet-wide password reset, no CRL you hope every car fetched.
"A leaked API key or a valid dealer-portal session looks legitimate — how do you catch abuse that passes auth?"
You bind authority to the car, not the bearer. State-changing fleet commands terminate mutually-authenticated to the target car's /128 — the car co-signs — so a dealer or owner session can't reach a VIN it can't cryptographically address. A request that passes auth but can't prove the identity never had authority in the first place. BOLA/IDOR and mass-assignment lose their leverage: elevating to any account no longer reaches any car.
UUri authority-name is, by spec, a domain name, a VIN or an IPv6 address — so a Whisper name or /128 slots straight in, with DANE anchoring the transport binding (Zenoh, SOME/IP, MQTT or HTTP). The same DANE pin anchors an AUTOSAR Adaptive gateway's SOME/IP-over-TLS or DDS-Security endpoint cert, and an ISO 20078 Extended-Vehicle / neutral-server offering's TLS — where a per-vehicle name becomes a stable ExVe resource id the authorized third parties the EU Data Act forces you to open to can resolve and verify. Proposed integrations at the IP and cloud boundary; Whisper never reaches into the SecOC bus authenticator or the charging handshake.revoke. An ECU swap or dealer module replacement re-keys to a new /128 and revokes the old one; a legitimate resale or decommission is one revoke and a re-register to the new owner. Compromise one ECU and you've compromised that ECU, not the fleet — the DigiNotar failure mode is structurally removed.Maps to UN R155 (CSMS), R156 (SUMS), ISO/SAE 21434, the EU Data Act (in force since 12 Sep 2025 — verifiable per-party identity is how you draw the authorized-user-vs-unauthorized-aggregator line) and GDPR. Know, attribute and revoke every component — delivered as a network primitive, not a compliance binder.
Identity stops the next forgery. The graph names whoever already scraped you.
You won't re-key the whole fleet by Monday, and there is abuse in your logs right now. So the same platform back-traces the operator behind the sessions you already logged — attribution that survives the rotation, because it fingerprints the operator and the tooling, not the ephemeral egress IP.
A live internet-infrastructure graph — 7.44B nodes and 39.3B relationships of fused BGP, DNS, WHOIS, TLS, hosting and threat intelligence, answering in under 300 ms — fingerprints the operator, not the IP. Two levers, kept honestly separate: for cloud rotation the graph clusters shared ASN, hosting and certificate lineage into one infrastructure genealogy; for a residential-proxy swarm — where a subscriber IP gives an infra graph nothing to grab — a JA4/JA3 client fingerprint travels with the tooling regardless of the exit and collapses the swarm to one operator.
And it's a question, not a signature. Express fleet enumeration directly — "one source touching N distinct vehicle-identities in a window" — as read-only Cypher, and the graph returns the operator with a reproducible evidence chain your VSOC, your PSIRT, your auditors and a regulator can replay. That's business-logic and VIN-enumeration abuse caught by its shape across the fleet, not by a pattern you had to know in advance.
# ask the graph the business-logic question directly — read-only Cypher over the public graph API
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
-H 'content-type: application/json' -d '{"query":"MATCH (src)-[t:TOUCHED]->(v:VehicleIdentity)
WHERE t.window = \"15m\" WITH src, count(DISTINCT v) AS vins
WHERE vins > 50 RETURN src, vins ORDER BY vins DESC"}'
operator <fingerprinted> 1 source → 3,412 distinct VINs / 15m
egress: AWS eu-central → GCP europe-w4 → Azure westeu (collapsed to 1)
ja4: same tooling across 41 residential exits → 1 operator
reproducible, replayable JSON evidence chain → your SIEM
"When they rotate residential proxies and fresh cloud IPs, can you actually attribute them — or just rate-limit an IP and move on?"
Track them. Infrastructure genealogy collapses the cloud rotation; a JA4 client fingerprint collapses the residential swarm. The egress IP is the one thing we don't rely on — so the rotation that hides them from your VSOC is exactly what the graph reads through.
The verbs your analysts run (or your agent runs for them): identify(ip) (who really operates a host, even behind a CDN) · origins(prefix) + walk(node,depth) (cluster rotating IPs into one genealogy) · history / watch (a timeline and a standing sentinel over a suspect operator). Every answer is reproducible, replayable JSON: the GDPR and EU-Data-Act paper trail for an unauthorized-aggregator finding, not a screenshot.
Identity is the cure; the graph is how you clean up what got in before it, and catch the operator who tries anyway. Detection made durable, on top of a root-cause fix.
Additive to your VSOC. Mapped to your standards. Priced so you can say yes.
Your behavioral VSOC tells you that a fleet API is abused, at the app layer inside your own cloud — necessary, and where that picture stops. Whisper adds the two layers no one else owns: attribution across rotating clouds, and forge-proof identity after auth. It's depth on top of the stack you already run — not a console your analysts babysit.
| Behavioral VSOC | Whisper | |
|---|---|---|
| Detect API abuse in your cloud (BOLA, business-logic) | ✓ | additive feed |
| Attribute the operator across rotating clouds / residential proxies | — | ✓ |
| Forge-proof per-car / per-agent identity after auth | — | ✓ |
Feeds your SIEM and PSIRT
The Splunk, Microsoft Sentinel and OpenCTI connectors ship today. Findings arrive as signed, replayable JSON mapped to CEF and ECS fields — with STIX 2.1 over TAXII export on the roadmap — that you can hand a regulator or push straight into a PSIRT workflow.
Speaks your compliance language
Maps to UN R155 / R156 and ISO/SAE 21434 evidence, and to the Auto-ISAC Automotive Threat Matrix — findings tagged to ATM tactics and techniques, with the ATM's machine-readable JSON export on the roadmap for sharing straight to Auto-ISAC and your peers. Usable in TARA, cybersecurity interface agreements and type approval.
Flat pricing, real ROI
Per-VIN/year and flat — not per-transaction, not usage-metered — a line item you can forecast against 40-billion-API-call-a-month economics. ROI is concrete: analyst-hours saved chasing disposable IPs, warranty and recall exposure reduced, one revoke instead of a fleet-wide reset. See pricing →
Safe in your auth path
It rides on top of the X.509 device-cert mTLS your connected-vehicle cloud already runs — AWS IoT Core, Azure Event-Grid MQTT, Google Cloud — anchoring that same identity in public DNSSEC/DANE rather than replacing your vendor's mTLS, so a regulator or peer can verify a car outside that cloud's tenancy. And it's built to fail open: a Whisper outage never bricks a car — checks degrade to your existing anchors and connectivity is preserved. Anycast on AS219419, no single node in the path.
On-prem or your own tenant
Data residency and GDPR by construction — the graph and the per-agent logs stay where your regulator needs them. No whole-fleet telematics leaving your boundary to a third party you never contracted.
A vendor that will still be here
Real routable address space (AS219419), run by people who ran the internet's regional address registry and operated one of its root DNS servers. Auto-security startups fail — one raised ~$60M and folded; we built infrastructure to outlast that question. POC → pilot → enterprise, keyless to start.
Don't take our word for it — our API isn't in the trust path.
Two tiers, by design. No key: anyone can verify a car's identity and resolve it — trustless, anchored at the IANA root. Your key: back-trace a suspicious host on the graph, register a vehicle, govern its agents, revoke it worldwide.
# keyless — re-derive and verify any car's identity, trustless
$ whisper verify --trustless 2a04:2a01:1c0::c0de
✓ DNSSEC chain valid to the IANA root
✓ DANE-EE (TLSA) leaf matches the identity's key
✓ RDAP: registered under AS219419 · 2a04:2a01::/32
identity: VERIFIED — and our own API was never trusted
# the address is the car — reverse DNS names it
$ dig -x 2a04:2a01:1c0::c0de +short
vin-wvwzzz1kz.fleet.example-oem.whisper.online.
# who really operates a suspicious host — with your key, via the public graph API
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
-H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"34.90.x.x\")"}'
operator: <fingerprinted> · seen across AWS / GCP / Azure
residential swarm collapsed by JA4: same tooling, 41 exit IPs → 1 operator
# give a car a name it can prove, and govern its agents
$ export WHISPER_API_KEY=whisper_live_xxx
$ whisper register --vin WVW… --from-idevid
→ identity 2a04:2a01:1c0::c0de DNSSEC + DANE live
$ whisper policy set --default deny --allow api.oem.com,ota.oem.com
$ whisper revoke 2a04:2a01:1c0::c0de # worldwide, at DNS-TTL
Give every car an identity it can prove.
The address is the car — routable, DNSSEC-anchored, revocable worldwide in one call. Keyless to try, one call to provision, one more to revoke. The fleet-API abuse that no rate-limit ever caught simply runs out of forgeries.
Or run whisper verify --trustless right now.