# Whisper for Automotive — device identity on the wire for connected vehicles. This is auto.whisper.online. The marketing story here is told for the connected- vehicle security team; the /docs library, the console, and the whole system behind it are identical to whisper.online. Read it in full — written so both an agent and a person can act on it. ## The problem it solves Third parties reverse-engineer an OEM's connected-car app APIs, authenticate with a phished credential or a bearer token portable to any IP, and scrape whole-fleet data contract-free — indistinguishable from the real app because it is the app's protocol. The root cause is broken authentication (OWASP API BOLA): the token authenticates a claim, never the machine. Undetectable at the network layer, because the attacker rotates egress across clouds and residential proxies. ## The cure — make it an identity problem Give every car a routable IPv6 /128 (from 2a04:2a01::/32, AS219419) DETERMINISTICALLY derived from the hardware key it already holds (secure element / TPM / IEEE 802.1AR IDevID), with the VIN or ECU serial as the domain separator. DNSSEC-anchored, DANE-EE pinned, RDAP-registered, verifiable trustlessly with `whisper verify --trustless`. The backend then authorizes on the car's pinned identity, not a stealable token: one IP to thousands of cars becomes impossible, IP rotation is irrelevant, stolen sessions fail, and one revoke kills a compromised car worldwide. Additive to the X.509/mTLS and the SIEM the OEM already runs; complements 802.1AR / SCMS / ISO 15118 PKI, never replaces. ## Pages - / Home — the problem, the cure, and the two structural gaps - /fleet-api-abuse The fleet-API-abuse cure, end to end - /platform The three planes + where they fit the stack you already run - /oem-security For OEM security: VSOC/PSIRT + SIEM fit, R155 / ISO 21434 / Auto-ISAC ATM - /compare Honest comparison — additive, not a replacement - /pricing Flat, predictable pricing - /docs The full technical documentation (identical to whisper.online/docs) ## Verify it yourself (keyless) whisper verify --trustless dig -x # forward-confirmed reverse DNS curl https://whisper.online/verify-identity/ ## Provision (with a Whisper API key) Control plane: POST https://graph.whisper.security/api/query CALL whisper.agents({op:'register', args:{...}}) # mints the /128 identity Console: https://console.whisper.security ## The operator Operator: Whisper Security (viaGraph B.V.), Amsterdam, NL. Network: AS219419, IPv6-only, RPKI-signed, MANRS-compliant. AS219419 announces 2a04:2a01::/32.