I hate to be a doom-monger, but the internet of insecure things is clearly on the road to hell.
The latest product to be found demonstrating woeful security is the Nissan LEAF electric car.
As researchers Troy Hunt and Scott Helme reveal in a blog post today, a complete lack of authentication – all you need to know is a Nissan LEAF’s VIN (Vehicle Identification Number) – gives opportunities for mischief makers to steal information about your journeys, and even start or stop the air conditioning/heating.
How would you know a Nissan LEAF’s unique VIN? Well, you could either just take a look at the windscreen of the car you’re interested in or – as in the researchers’ case – simply change the last five digits of the VIN until you get a “hit”.
First, some important things to realise about this security hole.
The Nissan LEAF you are targeting has to be linked at some point to the NissanConnect EV smartphone app. If the car’s owner hasn’t connected their vehicle to the app, you are not going to be able to meddle with it.
Furthermore, unlike some other internet-connected cars, the Nissan LEAF’s API does not provide abilities such as remotely unlocking vehicles which would clearly be a boon to thieves. Nonetheless, as Scott Helme explains, there are still ways in which a malicious attacker could abuse the weak security:
“Being able to remotely turn on the AC for a car might not seem like a problem, but this could put a significant drain on the battery over a period of time as the attacker can keep activating it. It’s much like being able to start the engine in a petrol car to run the AC, it’s going to start consuming the fuel you have in the tank. If your car is parked on the drive overnight or at work for 10 hours and left running, you could have very little fuel left when you get back to it… You’d be stranded.”
However, although the impact of the attack may be nothing like as serious as the Jeep hacking dramatically demonstrated last year, the security flaw affecting Nissan LEAFs are many many times easier to exploit.
If hijacking a Jeep remotely was like man landing on the moon, turning a Nissan LEAF owner’s air-conditioning on remotely is like walking up the stairs.
What is more, evidence has been discovered that details of how to exploit the flaw is already being openly discussed in online forums, albeit largely by Nissan LEAF owners who are using the facility to turn on their car’s heating in the morning.
Finally, with the Nissan LEAF flaw there is a privacy angle as well.
Although you cannot determine by accessing the wide-open unauthenticated API the identity of the car owner or geographic location of the vehicle, information can be extracted about journeys that have been made, as Scott Helme explains:
“The other main concern here is that the telematics system in the car is leaking *all* of my historic driving data. That’s the details of every trip I’ve ever made in the car including when I made it, how far I drove and even how efficiently I drove. This could easily be used to build up a profile of my driving habits, considering it goes back almost 2 years, and predict when I will be away from home. This kind of data should be collected and secured with the utmost respect for my privacy.”
To demonstrate the security flaw, Troy Hunt and Scott Helme made a video – with Hunt hanging out by his pool in Australia while Helme shivered in his Nissan LEAF in wintery England.
Troy Hunt says that he informed Nissan about the problem in January, and was told earlier this month that they were “making progress toward a solution”.
However, the discovery that information about how to take advantage of the unauthenticated API was being openly discussed on the web made him realise that it was time to warn Nissan LEAF owners.
My advice? If you own a Nissan LEAF don’t connect it to the app. Nissan clearly didn’t give the first thought to security when they enabled their car to be controlled, even partially, via an app.
If you have already connected your Nissan LEAF to the app, follow Scott Helme’s advice on how to disassociate it by disable Nissan’s CarWings telematics service:
To disable CarWings, owners need to login to the service form their browser, it can’t be done through the mobile app. Once logged in, select ‘Configuration’ from the menu and there is a ‘Remove CarWings’ button. It appears to be greyed out but the button does work. Once clicked you will receive a prompt to confirm that you wish to disable CarWings and asked to provide a reason why. Click ‘Validate’ when the appropriate option has been selected and you will get a confirmation message that CarWings has been disabled. You should also receive a confirmation via email. Once Nissan have resolved this issue it should be safe to re-enable your CarWings account and resume using features associated with it. Simply login to your account and follow the prompts on screen.
Sadly I suspect that problems like these are only going to get worse as more and more devices are connected to the internet by vendors who simply do not seem to understand online security. Cars are today becoming the ultimate online mobile device – if they are not built securely, the implications are likely to be serious.
Learn much more in the blog post on Troy Hunt’s site.
Embarrassingly, it appears that in some territories the Nissan LEAF API is accessible without using HTTPS – increasing the opportunities for hackers to steal VINs and meddle with communications.
— Chris McKee (@chrismckee) February 24, 2016