Lousy Nissan LEAF security leaves cars open to online exploitation

Nissan leaf

I hate to be a doom-monger, but the internet of insecure things is clearly on the road to hell.

The latest product to be found demonstrating woeful security is the Nissan LEAF electric car.

As researchers Troy Hunt and Scott Helme reveal in a blog post today, a complete lack of authentication - all you need to know is a Nissan LEAF's VIN (Vehicle Identification Number) - gives opportunities for mischief makers to steal information about your journeys, and even start or stop the air conditioning/heating.

How would you know a Nissan LEAF's unique VIN? Well, you could either just take a look at the windscreen of the car you're interested in or - as in the researchers' case - simply change the last five digits of the VIN until you get a "hit".

Obfuscated nissan leaf vin

First, some important things to realise about this security hole.

The Nissan LEAF you are targeting has to be linked at some point to the NissanConnect EV smartphone app. If the car's owner hasn't connected their vehicle to the app, you are not going to be able to meddle with it.

Nissan app

Furthermore, unlike some other internet-connected cars, the Nissan LEAF's API does not provide abilities such as remotely unlocking vehicles which would clearly be a boon to thieves. Nonetheless, as Scott Helme explains, there are still ways in which a malicious attacker could abuse the weak security:

"Being able to remotely turn on the AC for a car might not seem like a problem, but this could put a significant drain on the battery over a period of time as the attacker can keep activating it. It's much like being able to start the engine in a petrol car to run the AC, it's going to start consuming the fuel you have in the tank. If your car is parked on the drive overnight or at work for 10 hours and left running, you could have very little fuel left when you get back to it... You'd be stranded."

However, although the impact of the attack may be nothing like as serious as the Jeep hacking dramatically demonstrated last year, the security flaw affecting Nissan LEAFs are many many times easier to exploit.

If hijacking a Jeep remotely was like man landing on the moon, turning a Nissan LEAF owner's air-conditioning on remotely is like walking up the stairs.

What is more, evidence has been discovered that details of how to exploit the flaw is already being openly discussed in online forums, albeit largely by Nissan LEAF owners who are using the facility to turn on their car's heating in the morning.

Finally, with the Nissan LEAF flaw there is a privacy angle as well.

Although you cannot determine by accessing the wide-open unauthenticated API the identity of the car owner or geographic location of the vehicle, information can be extracted about journeys that have been made, as Scott Helme explains:

"The other main concern here is that the telematics system in the car is leaking *all* of my historic driving data. That's the details of every trip I've ever made in the car including when I made it, how far I drove and even how efficiently I drove. This could easily be used to build up a profile of my driving habits, considering it goes back almost 2 years, and predict when I will be away from home. This kind of data should be collected and secured with the utmost respect for my privacy."

To demonstrate the security flaw, Troy Hunt and Scott Helme made a video - with Hunt hanging out by his pool in Australia while Helme shivered in his Nissan LEAF in wintery England.

Troy Hunt says that he informed Nissan about the problem in January, and was told earlier this month that they were "making progress toward a solution".

However, the discovery that information about how to take advantage of the unauthenticated API was being openly discussed on the web made him realise that it was time to warn Nissan LEAF owners.

My advice? If you own a Nissan LEAF don't connect it to the app. Nissan clearly didn't give the first thought to security when they enabled their car to be controlled, even partially, via an app.

If you have already connected your Nissan LEAF to the app, follow Scott Helme's advice on how to disassociate it by disable Nissan's CarWings telematics service:

To disable CarWings, owners need to login to the service form their browser, it can't be done through the mobile app. Once logged in, select 'Configuration' from the menu and there is a 'Remove CarWings' button. It appears to be greyed out but the button does work. Once clicked you will receive a prompt to confirm that you wish to disable CarWings and asked to provide a reason why. Click 'Validate' when the appropriate option has been selected and you will get a confirmation message that CarWings has been disabled. You should also receive a confirmation via email. Once Nissan have resolved this issue it should be safe to re-enable your CarWings account and resume using features associated with it. Simply login to your account and follow the prompts on screen.

Sadly I suspect that problems like these are only going to get worse as more and more devices are connected to the internet by vendors who simply do not seem to understand online security. Cars are today becoming the ultimate online mobile device - if they are not built securely, the implications are likely to be serious.

Learn much more in the blog post on Troy Hunt's site.

Update:

Embarrassingly, it appears that in some territories the Nissan LEAF API is accessible without using HTTPS - increasing the opportunities for hackers to steal VINs and meddle with communications.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

4 Responses

  1. Anna Nguyen

    February 24, 2016 at 8:05 pm #

    I guess they don't know about the API call to retrieve that car's current longitude and latitude? http://www.mynissanleaf.com/viewtopic.php?f=27&t=2214&start=110#p453844

  2. Chris Pugson

    February 25, 2016 at 2:38 pm #

    My 1958 Wolseley 1500 is unaffected (smug). Don't know about the post 1961 models though.

    • coyote in reply to Chris Pugson.

      February 27, 2016 at 12:29 am #

      I've had similar thoughts too. The safest cars on the market will become those which aren't connected (and same goes for those not controlled by 'AI' that most certainly can't react to every situation especially during an emergency .. and AI isn't anywhere near as good to react to that even besides it would have to learn it first .. and I for one hope it never gets close to it). I find that a rather disturbing fact because the older cars should be less safe (in that the new technology should improve things over the old rather than it's old so it must be less safe) just like they should be less clean (VW incidents notwithstanding but actually that's only slightly relevant because I conveniently added 'should be' and not 'are').

      But what happens when you finally have to get a new car ? I know there are exceptional cases but those are oddly enough exceptions.

  3. coyote

    February 27, 2016 at 12:23 am #

    Awesome pun in the beginning, Graham.

    'Sadly I suspect that problems like these are only going to get worse as more and more devices are connected to the internet by vendors who simply do not seem to understand online security.'

    You're being far, far too nice Graham. They don't understand security, full stop. It's not just 'online', is it ? The fact it's connected also is a problem, yes, but they shouldn't even consider that until they sort out other problems with what they design (and in the cases these problems are in fact it being Internet-enabled then my point is only partially irrelevant).

    'Well, you could either just take a look at the windscreen of the car you're interested in or – as in the researchers' case – simply change the last five digits of the VIN until you get a "hit".'

    That's just stupid.

    'What is more, evidence has been discovered that details of how to exploit the flaw is already being openly discussed in online forums, albeit largely by Nissan LEAF owners who are using the facility to turn on their car's heating in the morning.'

    And that's just hilarious – and the right attitude too (though perhaps on the risky and reckless side because they should rather defuse such a ticking time bomb instead of activating it).

Leave a Reply