Automotive
A stolen session and a guessable VIN shouldn't be able to drive your whole fleet.
A connected-vehicle backend authenticates a claim: a bearer token, an API key, an app login. It never authenticates the machine on the other end. Whisper closes that gap with one primitive: the vehicle's address is its identity. This page is the automotive front door to the Whisper docs. The full technical library (DNSSEC, DANE, RDAP, the control-plane API) sits one click down the sidebar, shared verbatim with whisper.online.
The problem: fleet-API abuse
A third party reverse-engineers a connected-car app until it holds the exact calls the official app makes, then authenticates the same ways the app does: a phished owner login, a static key lifted from the app bundle, or an OAuth bearer token portable to any IP. From there it is contract-less, low-and-slow polling, indistinguishable from a real handset because it is the handset's protocol. Rate-limit it and a fresh IP appears; the egress hops across clouds and residential proxies, so all the SOC ever logs is a meaningless last IP. The root cause has a name: OWASP broken authentication / BOLA. The token authenticates a claim, never the machine.
Detection will always be a step behind a credential that is genuinely valid. The strictly-stronger move is to change what the backend trusts.
The cure: the address is the car
Shipped & live. Deriving a vehicle or ECU /128 from the hardware key it already holds is in production today. Provision one with the control-plane call below, then verify it from the DNSSEC root with tools already on your machine.
Whisper gives each vehicle (or each ECU) a routable IPv6 /128 out of 2a04:2a01::/32 (announced by AS219419), derived deterministically from the device's public key: its SubjectPublicKeyInfo, the public half of an 802.1AR IDevID, a TPM, or a secure-element key, with the VIN (and, optionally, an ECU serial) as the domain separator. The private key never leaves the chip; only its public SPKI is an input. The result is DNSSEC-anchored, DANE-EE 3 1 1 pinned, and RDAP-registered. Anyone with dig can re-derive and verify it.
device public key (SPKI) ──derive · domain-sep = VIN──▶ /128 ──DNSSEC + DANE-EE 3 1 1──▶ a name anyone verifies
802.1AR IDevID / TPM / 2a04:2a01:1c0::c0de RDAP-registered whisper verify --trustless
secure element routable, tenant-bound op:'revoke' → gone at DNS-TTL
(private key stays on-chip)
Because the derivation is tenant-bound, the same key under two different fleets yields two unrelated /128s: an outsider cannot link a vehicle across tenants. And because the domain separator is the VIN, VIN alone yields nothing. You cannot go VIN → /128 without the key, there is no enumerable directory, and RDAP and reverse-DNS return the registry object, never the car's whereabouts.
What becomes true the moment a vehicle holds one:
- "One IP → thousands of cars" becomes physically impossible. You cannot present thousands of car-identities whose keys you don't hold; every forgery is a DNSSEC/DANE inconsistency any verifier catches.
- IP rotation becomes irrelevant. Identity is not the source IP. The "last IP" was never the credential, so rotating it across clouds or proxies changes nothing.
- Stolen sessions fail. A valid-looking token with no car-key behind it authenticates to nothing.
- One
revokekills a compromised car worldwide at DNS-TTL speed: no fleet-wide reset, no CRL you hope every car fetched.
Additive, never a replacement. Whisper complements the anchors you already ship: 802.1AR IDevID/LDevID, SecOC, SCMS for V2X, ISO 15118 Plug & Charge, TPM/HSM/eSIM. It is the publicly verifiable, DNSSEC/DANE-anchored layer on top, anchoring the car↔cloud boundary. Whisper never reaches into the SecOC in-vehicle bus authenticator, the V2X/SCMS air interface, or the ISO 15118 charging handshake.
Provision a vehicle identity
Provisioning is one control-plane call over the public API: POST https://graph.whisper.security/api/query with your X-API-Key. Hand it the device's base64 SPKI and the VIN; it returns the deterministic /128 and a WireGuard config for source-bound egress:
CALL whisper.agents({op:'connect', args:{
tier:'wireguard',
identity_public_key:'<base64 SPKI of the device key>',
vin:'1HGCM82633A004352'
}}) YIELD op, ok, status, result, error
RETURN op, ok, status, result, error
Send it with your key. The heredoc keeps the single-quoted Cypher literals intact, so this runs as-is:
curl -s https://graph.whisper.security/api/query \
-H "X-API-Key: whisper_live_xxx" \
-H 'content-type: application/json' \
--data @- <<'JSON'
{"query":"CALL whisper.agents({op:'connect', args:{tier:'wireguard', identity_public_key:'<base64 SPKI>', vin:'1HGCM82633A004352'}}) YIELD op, ok, status, result, error RETURN op, ok, status, result, error"}
JSON
# response
{ "op": "connect", "ok": true, "status": "created",
"result": {
"address": "2a04:2a01:1c0::c0de",
"fqdn": "vin-1hgcm82633a004352.fleet.<tenant>.agents.whisper.online",
"wireguard": { /* peer, keys, allowed-ips */ }
} }
The call is idempotent and liberal in what it accepts, strict in what it returns: re-running with the same key and VIN returns the same /128; a different VIN for a key already registered on your tenant is a clear 409, not a silent overwrite; a non-string VIN is a 400 that tells you exactly what was wrong, never an opaque 500.
A dedicated --vin CLI flag is on the roadmap; today, vehicle provisioning is the control-plane call above (which is live). The shipped CLI verbs are whisper verify --trustless, whisper create --register, whisper kill --revoke, whisper policy, and whisper logs. See CLI & one-command.
Verify it yourself: no account needed
Every vehicle identity is checkable with no key and no login, from the internet's own records. The whisper CLI does the full walk in one call:
whisper verify --trustless vin-1hgcm82633a004352.fleet.<tenant>.agents.whisper.online
✓ DNSSEC chain valid to the IANA root
✓ DANE-EE (TLSA 3 1 1) leaf matches the identity's key
✓ RDAP: registered under AS219419 · 2a04:2a01::/32
identity: VERIFIED (our own API was never trusted)
Or reach for the raw records directly: the same answer, from stock tools:
# the public verify endpoint: evidence chain in JSON
curl -s https://whisper.online/verify-identity/2a04:2a01:1c0::c0de | jq
{ "is_whisper_agent": true, "dane_ok": true, "jws_ok": true, "evidence": { /* … */ } }
# the address is the car: forward-confirmed reverse DNS names it
dig -x 2a04:2a01:1c0::c0de +short
vin-1hgcm82633a004352.fleet.<tenant>.agents.whisper.online.
# the registry object: who holds the address, and under which allocation
curl -s https://whisper.online/ip/2a04:2a01:1c0::c0de | jq
None of these calls Whisper as an authority: --trustless re-derives the proof against the public DNSSEC root, exactly as any resolver could. See Verify an agent for the full keyless check and DANE & TLSA for the pin, byte for byte.
Revoke, worldwide
A compromised ECU, a resale, a decommission. One call tears down the /128, its PTR, and its DANE pin everywhere at DNS-TTL speed:
CALL whisper.agents({op:'revoke', args:{agent:'2a04:2a01:1c0::c0de'}})
# after the TTL: dig -x returns nothing, verify returns false
whisper kill --revoke 2a04:2a01:1c0::c0de
Compromise one ECU and you've compromised that ECU, not the fleet. The DigiNotar failure mode is structurally removed.
Attribution: name whoever already scraped you
Identity stops the next forgery; the graph names the operator behind the sessions already in your logs. That attribution survives IP rotation because it fingerprints the operator and the tooling, not the ephemeral egress IP. Run it as read-only Cypher over the same public API with your key (there is no CLI subcommand for this; it is the graph API directly):
curl -s https://graph.whisper.security/api/query \
-H "X-API-Key: whisper_live_xxx" \
-H 'content-type: application/json' \
-d '{"query":"CALL whisper.identify(\"34.90.x.x\")"}'
# operator fingerprinted across AWS / GCP / Azure; residential swarm collapsed by JA4
The read-only verbs (identify, origins, walk, variants, history) each return a reproducible, replayable JSON evidence chain your VSOC, PSIRT, and a regulator can replay. More in Graph & cognition.
What ships today, and what's on the roadmap
We label these honestly so you can plan against them.
| Shipped & live | On the roadmap |
|---|---|
Vehicle/ECU /128 from the device key + VIN: DNSSEC + DANE-EE + RDAP |
A dedicated --vin CLI flag (provision via the control-plane call today) |
| Control-plane provision, verify, revoke; the attribution graph over the public API | STIX 2.1 over TAXII export |
| The Splunk, Microsoft Sentinel and OpenCTI connectors (signed, replayable JSON → CEF / ECS fields) | Auto-ISAC ATM machine-readable JSON export |
The integration guides below describe proposed integrations at the cloud and IP boundary. They're designed to complement the stack you already run, not endorsed by any vendor, and they never name a specific OEM as a breach victim.
The five Automotive guides
The automotive story, in depth: each page is self-contained and copy-paste runnable.
/128 from the hardware key a vehicle or ECU already holds. Deterministic, tenant-bound, DNSSEC + DANE-EE pinned: the device-identity spine.
Fleet-API-abuse cure →Why a stolen token drives your whole fleet, and how a forge-proof address ends it: the BOLA root cause, cured at the identity layer.
Platform integrations →Proposed integrations at the cloud/IP boundary: COVESA uProtocol, AWS IoT Core / FleetWise, 802.1AR, AUTOSAR Adaptive, ISO 20078. Complements, never replaces.
R155 · ISO 21434 · ATM →Map identity and attribution evidence to UN R155/R156, ISO/SAE 21434, the Auto-ISAC ATM, and the EU Data Act, as a network primitive, not a binder.
V2X · OTA · anti-counterfeit →Runnable recipes: anchor an OTA update endpoint, prove a part's identity against counterfeits, back-trace a suspicious host on the graph.
The full technical library
Automotive rides on the same address-is-identity platform as every other agent on the network, so the whole shared library applies here unchanged, and every page has a clean Markdown twin at the same path + .md. Start with these; the rest is in the sidebar.
dig, curl, and openssl.
DANE & TLSA →The 3 1 1 pin that makes an address forge-proof, byte for byte, no CA in the path.
Control plane →The full whisper.agents API (provision, connect, policy, logs, revoke) over the public endpoint.