# Fleet-API abuse, cured — the address is the car

> A third party is draining your whole fleet through your own API — and every IP it
> shows you is a decoy. The address **is** the car: a routable, DNSSEC-anchored /128 no
> aggregator can forge, so a stolen session with no car-key behind it authenticates to
> **nothing**. Additive to your VSOC and SIEM.

A connected-vehicle security lead put his single largest unsolved problem to us plainly:
third parties reverse-engineer your connected-car API — increasingly with AI — phish your
customers for their companion-app credentials, and connect to your telematics backend with
*no contract*. Then they scrape and resell whole-fleet data. It's a GDPR and EU-Data-Act
exposure, and it's invisible at the network layer: a real customer is *one IP to one car*;
the abuser is *one operator to thousands*, steals genuine sessions so it passes every auth
check, and rotates egress across Amazon, Google and Azure so all your VSOC ever logs is a
meaningless *last IP*.

**Stop trying to detect it. Make it an identity problem.** The address **is** the car — a
routable, DNSSEC-anchored **/128** no aggregator can forge. **Give every car an identity it
can prove — and no one can forge.**

`whisper verify --trustless` — anchored at the IANA DNS root. Our own API is not in the trust path.

- **17%** — APIs are now the #1 automotive attack vector, ahead of infotainment
- **92%** — of automotive attacks are remote
- **~2×** — AI roughly doubled automotive cyberattacks year over year
- **16** — brands broken through connected-car APIs in one research disclosure
- **~140k** — vehicles reachable through a single employee-portal pivot
- **billions** — of vehicle-data points harvested and resold before two brokers collapsed in 2024

---

## The problem, in their words

**The abuse that no rate-limit, no WAF, and no *last IP* will ever catch.** It isn't a
breach. Your API is used exactly as it was built — at fleet scale, by an operator who was
never your customer and never signed a contract.

> "Third parties reverse-engineer our connected-car API, phish customers for their app
> logins, and pull whole-fleet data off the telematics backend with no agreement in place.
> We can't tell them from a real driver at the network layer — and when we try to block
> them, the IP is already gone. **Solve this and you're in a very good niche.**"
> — a connected-vehicle security operations lead, describing the problem shared across the industry

1. **REVERSE-ENGINEERED — not breached, rebuilt.** The `V2C` API is mapped from the companion app and increasingly reconstructed by AI. Nothing is exploited yet; the endpoints are simply used as designed.
2. **REAL SESSIONS, NO CONTRACT — it passes every auth check.** Phished app credentials or a hardcoded key lifted from a dealer-portal bundle yield genuine sessions. Auth says yes. There is no commercial agreement anywhere behind it.
3. **ONE OPERATOR, WHOLE FLEET — then the IP dissolves.** Low-and-slow `VIN` enumeration under every rate limit — then egress hops Amazon → Google → Azure, or a residential-proxy swarm. Your VSOC correlates a fresh *last IP* and nothing else.

**Concretely, and at the class level:** the API they call is *your app's* API, because it
*is* your app's protocol. A third party reverse-engineers the connected-car companion app
until it holds the exact calls the official app makes, then authenticates the same ways
your own app does — a phished owner login, a static `API-key` header lifted from the app
bundle, or an OAuth **bearer token that is portable to any IP**. From there it is
contract-less, long-lived polling: a request every few minutes, streams held open —
indistinguishable from a real handset because it *is* the handset's protocol. This isn't
theoretical: public reverse-engineered clients for a major European connected-car backend
already circulate. The root cause has a name — `OWASP broken authentication / BOLA`: the
token, key or password authenticates a *claim*, never the *machine* on the other end.

This is invisible *by design*: a legitimate driver is one IP to one car; the abuser is one
operator to thousands, holding valid credentials and showing you a disposable address every
few requests. Whole-fleet telematics resale is not hypothetical — two data brokers reached
billions of harvested vehicle-data points, and litigation, before both collapsed in 2024.
That makes it a GDPR and EU-Data-Act incident, not only a security one.

---

## The reframe · stop detecting the abuse, prove the identity

Detection will always be a step behind a credential that is genuinely valid. You can tune
models forever and the abuser still looks exactly like a customer — because, to your
backend, they are one. The only strictly-stronger move is to change what the backend trusts.

- **Today · the backend trusts a bearer secret.** A session token, an API key, a cookie — whoever holds it can present it. The credential does not prove *which car* is on the other end, so a stolen one is indistinguishable from the real thing, and the source IP that *might* have narrowed it down is disposable.
- **Tomorrow · the backend authorizes a car that proves itself.** Bind authority to an identity the car *holds* and can demonstrate cryptographically, not a secret anyone can copy. Now a request either proves it is the car it claims to be, or it has no authority at all — before a single detection rule runs. Detection stops being the last line of defense and becomes a bonus.

That identity already has a home on the network you run: an address.

---

## How it works · the car key becomes the car's name

Whisper has one primitive: **the address is the identity.** A routable IPv6 **/128** out of
`2a04:2a01::/32` (announced by **AS219419**), deterministically derived from a key,
DNSSEC-anchored, **DANE-EE** pinned, RDAP/WHOIS-registered — re-derivable and verifiable by
anyone with `dig`.

**Point it at the car.** Derive each vehicle's — or each ECU's — /128 from the hardware key
it already holds: the secure element, the TPM, the IEEE **802.1AR IDevID**, with the **VIN
or ECU serial as the domain separator**. The private key never leaves the secure element; the address is a one-way function of its public half and the VIN. The `V2C` backend then authorizes on the car's *pinned
identity*, not a stealable token — no bespoke CA trust store to push to every vehicle, and
revocation at DNS-TTL speed instead of CRL/OCSP soft-fail.

```
secure element / TPM  ──pubkey + VIN──▶  /128  ──DNSSEC+DANE-EE──▶  a name anyone can verify
(802.1AR IDevID key,                     2a04:2a01:…::c0de           whisper verify --trustless
 never leaves the chip,                  routable identity           our API not in the trust path
 key stays in SE)                                                    op:revoke → gone at DNS-TTL
```

What becomes true the moment you do this:

- **"1 IP → thousands of cars" becomes physically impossible.** You cannot present thousands of car-identities whose keys you don't hold. Every forgery is a DNSSEC/DANE inconsistency any verifier catches.
- **IP rotation becomes irrelevant.** Identity is not the source IP; the "last IP" was never the credential — so rotating it, across clouds or residential proxies, changes nothing.
- **Stolen sessions fail.** The aggregator's server doesn't hold the car's per-/128 leaf key. A valid-looking token with no key behind it authenticates to nothing.
- **One `revoke` kills a compromised car worldwide** at DNS-TTL speed — `dig -x` returns nothing, verify returns false. No fleet-wide password reset, no CRL you hope every car fetched.

> **"A leaked API key or a valid dealer-portal session looks legitimate — how do you catch abuse that passes auth?"**
> You bind authority to the car, not the bearer. State-changing fleet commands terminate
> mutually-authenticated to the *target car's* /128 — the car co-signs — so a dealer or
> owner session can't reach a VIN it can't cryptographically address. A request that passes
> auth but can't prove the identity never had authority in the first place. `BOLA/IDOR` and
> mass-assignment lose their leverage: elevating to *any* account no longer reaches *any* car.

**Attaches to what you already ship — it does not replace it.** Whisper complements the
anchors you already trust — 802.1AR IDevID/LDevID (the silicon birth certificate), SCMS for
V2X, ISO 15118 Plug & Charge, TPM/HSM/eSIM. It is the publicly verifiable, DNSSEC/DANE-anchored
layer *on top* — the missing cryptographic counterpart to the identifiers you already stamp.

**A near-literal drop-in for how the SDV already addresses services.** In
**COVESA uProtocol** (Eclipse SDV) a service's `UUri` authority-name is, by spec, a domain
name, a VIN or an IPv6 address — so a Whisper name or /128 slots straight in, with DANE anchoring
the transport binding (Zenoh, SOME/IP, MQTT or HTTP). The same DANE pin anchors an
**AUTOSAR Adaptive** gateway's SOME/IP-over-TLS or DDS-Security endpoint cert, and an
**ISO 20078** Extended-Vehicle / neutral-server offering's TLS — where a per-vehicle name
becomes a stable ExVe resource id the authorized third parties the EU Data Act forces you to
open to can resolve and verify. Proposed integrations at the IP and cloud boundary; Whisper
never reaches into the SecOC bus authenticator or the charging handshake.

**The VIN is the public index — the /128 is its cryptographic counterpart.** The /128
is bound to the device's key as well as the VIN, so VIN alone yields nothing: you cannot go
VIN → /128 without the key, there is no enumerable directory, and RDAP/reverse-DNS return
the registry object, never the car's whereabouts.

**Lifecycle, end to end.** Factory IDevID burn → in-life authorization → incident `revoke`.
An ECU swap or dealer module replacement re-keys to a new /128 and revokes the old one; a
legitimate resale or decommission is one `revoke` and a re-register to the new owner.
Compromise one ECU and you've compromised *that ECU*, not the fleet — the DigiNotar failure
mode is structurally removed.

Maps to UN **R155** (CSMS), **R156** (SUMS), **ISO/SAE 21434**, the **EU Data Act** (in
force since 12 Sep 2025 — verifiable per-party identity is how you draw the
authorized-user-vs-unauthorized-aggregator line) and GDPR. Know, attribute and revoke every
component — delivered as a network primitive, not a compliance binder.

---

## The graph · for what already got in

**Identity stops the next forgery. The graph names whoever already scraped you.** You won't
re-key the whole fleet by Monday, and there is abuse in your logs right now. So the same
platform back-traces the operator behind the sessions you already logged — attribution that
*survives* the rotation, because it fingerprints the operator and the tooling, not the
ephemeral egress IP.

A live internet-infrastructure graph — **7.44B** nodes and
**39.3B** relationships of fused BGP, DNS, WHOIS, TLS, hosting and threat
intelligence, answering in under 300 ms — fingerprints the *operator*, not the IP. Two
levers, kept honestly separate:

- **Cloud rotation** — the graph clusters shared ASN, hosting and certificate lineage into one infrastructure genealogy.
- **Residential-proxy swarm** — where a subscriber IP gives an infra graph nothing to grab, a `JA4/JA3` client fingerprint travels with the *tooling* regardless of the exit and collapses the swarm to one operator.

And it's a question, not a signature. Express fleet enumeration directly — *"one source
touching N distinct vehicle-identities in a window"* — as read-only Cypher, and the graph
returns the operator with a reproducible **evidence chain** your VSOC, your `PSIRT`, your
auditors and a regulator can replay. That's business-logic and `VIN`-enumeration abuse
caught by its shape across the fleet, not by a pattern you had to know in advance.

```sh
# ask the graph the business-logic question directly — read-only Cypher over the public graph API
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
    -H 'content-type: application/json' \
    -d '{"query":"MATCH (src)-[t:TOUCHED]->(v:VehicleIdentity)
    WHERE t.window = \"15m\" WITH src, count(DISTINCT v) AS vins
    WHERE vins > 50 RETURN src, vins ORDER BY vins DESC"}'
  operator <fingerprinted>   1 source → 3,412 distinct VINs / 15m
  egress:  AWS eu-central → GCP europe-w4 → Azure westeu   (collapsed to 1)
  ja4:     same tooling across 41 residential exits → 1 operator
  reproducible, replayable JSON evidence chain → your SIEM
```

> **"When they rotate residential proxies and fresh cloud IPs, can you actually attribute them — or just rate-limit an IP and move on?"**
> Track them. Infrastructure genealogy collapses the cloud rotation; a JA4 client
> fingerprint collapses the residential swarm. The egress IP is the one thing we don't rely on.

The verbs your analysts run — or your agent runs for them: `identify(ip)` (who really
operates a host, even behind a CDN) · `origins(prefix)` + `walk(node,depth)` (cluster
rotating IPs into one genealogy) · `history` / `watch` (a timeline and a standing sentinel
over a suspect operator). Every answer is reproducible, replayable JSON: the GDPR and EU-Data-Act
paper trail for an unauthorized-aggregator finding, not a screenshot.

---

## For the people who have to sign off

**Additive to your VSOC. Mapped to your standards. Priced so you can say yes.** Your
behavioral VSOC tells you *that* a fleet API is abused, at the app layer inside your own
cloud — necessary, and where that picture stops. Whisper adds the two layers no one else
owns: attribution across rotating clouds, and forge-proof identity after auth.

| | Behavioral VSOC | Whisper |
|---|---|---|
| Detect API abuse in your cloud (BOLA, business-logic) | ✓ | *additive feed* |
| Attribute the operator across rotating clouds / residential proxies | — | ✓ |
| Forge-proof per-car / per-agent identity **after** auth | — | ✓ |

- **Feeds your SIEM and PSIRT.** The Splunk, Microsoft Sentinel and OpenCTI connectors ship today. Findings arrive as signed, replayable JSON mapped to CEF and ECS fields — with **STIX 2.1 over TAXII** export on the roadmap — that you can hand a regulator or push straight into a PSIRT workflow.
- **Speaks your compliance language.** Maps to UN R155 / R156 and ISO/SAE 21434 evidence, and to the **Auto-ISAC Automotive Threat Matrix** — findings tagged to ATM tactics and techniques, with the ATM's machine-readable JSON export on the roadmap for sharing straight to Auto-ISAC and your peers. Usable in TARA, cybersecurity interface agreements and type approval.
- **Flat pricing, real ROI.** Per-VIN/year and flat — not per-transaction, not usage-metered — a line item you can forecast against 40-billion-API-call-a-month economics. ROI is concrete: analyst-hours saved chasing disposable IPs, warranty and recall exposure reduced, one `revoke` instead of a fleet-wide reset. [See pricing →](/pricing)
- **Safe in your auth path.** It rides *on top of* the X.509 device-cert mTLS your connected-vehicle cloud already runs — **AWS IoT Core**, **Azure Event-Grid MQTT**, **Google Cloud** — anchoring that same identity in public DNSSEC/DANE rather than replacing your vendor's mTLS, so a regulator or peer can verify a car *outside* that cloud's tenancy. And it's built to **fail open**: a Whisper outage never bricks a car — checks degrade to your existing anchors. Anycast on AS219419, no single node in the path.
- **On-prem or your own tenant.** Data residency and GDPR by construction — the graph and the per-agent logs stay where your regulator needs them. No whole-fleet telematics leaving your boundary to a third party you never contracted.
- **A vendor that will still be here.** Real routable address space (AS219419), run by people who ran the internet's regional address registry and operated one of its root DNS servers. POC → pilot → enterprise, keyless to start.

[See the full comparison →](/compare)

---

## Prove it in 60 seconds · no account

Two tiers, by design. **No key:** anyone can verify a car's identity and resolve it —
trustless, anchored at the IANA root. **Your key:** back-trace a suspicious host on the graph,
register a vehicle, govern its agents, revoke it worldwide.

```sh
# keyless — re-derive and verify any car's identity, trustless
$ whisper verify --trustless 2a04:2a01:1c0::c0de
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA) leaf matches the identity's key
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
  identity: VERIFIED — and our own API was never trusted

# the address is the car — reverse DNS names it
$ dig -x 2a04:2a01:1c0::c0de +short
  vin-wvwzzz1kz.fleet.example-oem.whisper.online.

# who really operates a suspicious host — with your key, via the public graph API
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
    -H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"34.90.x.x\")"}'
  operator:  <fingerprinted> · seen across AWS / GCP / Azure
  residential swarm collapsed by JA4: same tooling, 41 exit IPs → 1 operator
```

```sh
# give a car a name it can prove, and govern its agents
$ export WHISPER_API_KEY=whisper_live_xxx
$ whisper register --vin WVW… --from-idevid
  → identity 2a04:2a01:1c0::c0de   DNSSEC + DANE live
$ whisper policy set --default deny --allow api.oem.com,ota.oem.com
$ whisper revoke 2a04:2a01:1c0::c0de   # worldwide, at DNS-TTL
```

Bring your fleet home → <https://console.whisper.security/sign-up> · Read the [docs](/docs).

---

## Give every car an identity it can prove.

The address is the car — routable, DNSSEC-anchored, revocable worldwide in one call. Keyless
to try, one call to provision, one more to revoke. The fleet-API abuse that no rate-limit
ever caught simply runs out of forgeries.

Bring your fleet home → <https://console.whisper.security/sign-up> · [For OEM security →](/oem-security)

Or run `whisper verify --trustless` right now.

---

*Whisper for Automotive · Identity on the wire for connected vehicles · AS219419 · 2a04:2a01::/32*
*© viaGraph B.V. (dba Whisper Security)*
