Opening up a backdoor for hackers?
Application programming interfaces are great.
Without them, all the nifty apps on our phones wouldn’t be able to communicate with each other as easily. Software development would be much more complex. It would be harder for business partners to interact. And commercial opportunities might fall by the wayside.
But from a security point of view, the interfaces (APIs) are nothing less than “scary”, according to Chris Jenkins, principal chief architect, cybersecurity strategy and adoption at Red Hat, a US open-source software company. “In the old days, you had one application that didn’t talk to anything,” he explains. “Now, you have multiple small applications using ‘micro services’ to talk to each other.
“All of these are using APIs, and they are great, because they are everywhere. From a security point of view, they are also really scary – because they are everywhere.”
Cyber criminals know this and are already taking advantage. The cyber-attack that exposed the personal data including email addresses of almost 5.5 million Twitter (now X) users at the end of 2022, for example, was down to vulnerabilities in the social media platform’s API.
Now imagine if a hacker got access to the API for your network software and revealed the IP address of every object on it to the highest bidder. The potential damage could be immense.
Without APIs, technology wouldn’t be as user-friendly: with them, there’s the potential of a backdoor entrance for undesirables.
Number of incidents logged by the FBI Internet Crime Complaint Center in 2022.
An expensive business
Cyber-crime costs. The Twitter hack was just one of the near 900,000 reported incidents logged by the FBI Internet Crime Complaint Center last year, generating $10.3 billion in losses for the individuals and organisations concerned. In the UK, more than two-thirds of large organisations reported being subject to a cyber-attack in the Government’s most recent Cyber Security Breaches Survey.
The Government estimates cyber-criminals cost the British economy around £27 billion a year.
It's not just criminals that pose a threat, either. APIs may facilitate collaboration but even users with the best of intentions can pose problems. “It’s possible to swamp the system with demands,” explains Jenkins’ colleague, principal solution architect Mark Roberts.
“You may become a victim of your own success in that you make your software widely available, but it can’t cope with the volume of activity.”
If not secured, APIs also provide a gateway for a distributed denial-of-service attack, a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the system.
That’s where security measures such as ‘rate throttling’, which limit API access, come into their own. Roberts says: “When it comes to denial-of-service attacks, it’s like having a bouncer on the door saying, ‘you’ve knocked 20 times today, I’m not letting you in again’.”
The result may be the blacklisting of an IP address. “It’s crucial to stop people overwhelming the network,” says Jenkins.
Hackers for hire
Those who want to damage digital infrastructure are always looking for new ways to exploit vulnerabilities. Roberts uses the example of Covid, where criminals exploited government support schemes for financial gain. “The same applies to technology. People are trying to find chinks in the armour.”
Much as technology rapidly changes, criminals also adopt new approaches. New trends like ‘hacking as a service’ are seeing hackers rent out their capabilities to the highest bidder. Some organised crime groups, for example, may not have the expertise to commit cyber-crime – so they hire people who can.
“In the old days, you had one application that didn’t talk to anything. Now, you have multiple small applications using ‘micro services’ to talk to each other.”
Chris Jenkins, principal chief architect, Red Hat
in association with
