Nissan Leaf Cars Can Be Hacked

2191 1

The BBC has reported that “some of Nissan’s Leaf cars can be easily hacked, allowing their heating and air-conditioning systems to be hijacked, according to a prominent security researcher.

Troy Hunt reported that a flaw with the electric vehicle’s companion app also meant data about drivers’ recent journeys could be spied on.” Experts from AlienVault, ESET and Tripwire provide insight into this vulnerability and what users can do to stay safe.

Richard Kirk, Senior Vice President, AlienVault:

  • Any insight into the vulnerability?

According to the research done by Troy Hunt, this is one of the most basic security mistakes that could be made. There is no user authorisation to validate that the user of the app is the owner of the car. It is hard to understand how a major global car manufacturer like Nissan could have a) allowed an app to be designed in such a way and b) not performed some degree of app security assessment and penetration testing before placing the app in the app store.

  • Could this be more serious than just the air-con and heating being hijacked?

If the app or car system developer were to add new app features, such as remote door unlocking or remote engine disablement, and they assumed that the app itself was safe and secure, then there could be serious implications, including either the theft of a car or its contents, or even an accident. This might sound extreme however other car manufacturers already provide similar app features.

  • What precautions should users of internet connected cars take in general?

Owners of internet enabled cars should take the same precautions as they do with other aspects of their digital lives, including using unique secure passwords and not sharing them. Unfortunately however, the security flaw with the NissanConnect App cannot be mitigated by the owner of the car, since it is part of the backend system rather than the app itself.

  • What can other car manufacturers learn from this?

Car manufacturers in general should apply the tried and trusted principles for secure application development. Many books have been written on the subject and numerous security companies offer help in this regard.

Mark James, Security Specialist at ESET:

  • Any insight into the vulnerability?

The actual vulnerability is not with the cars exactly, it’s more the servers Nissan are using to host the service. Data is sent from the car back to servers if the end user signs up and registers their car with the NissanConnect app.

By using the app or a web browser it’s possible to guess the needed credentials (in this case only the VIN number of the car) to gain access to secondary controls and user data on times and distances travelled. This could enable you to drain the battery, whilst this may seem quite insignificant it could be used to strand someone or incapacitate the car.

  • Could this be more serious than just the air-con and heating being hijacked?

Thankfully it only affects secondary controls so not as bad as some car hacks we have seen in the past where door locking or even steering has been affected, but technologies advance and if these flaws had not been found then more features may have been added and thus compromised.

  • What precautions should users of internet connected cars take in general?

The first thing I would ask myself is do I really need to connect my car to the internet either through website or smartphone app? The most likely answer is no, if you do then make sure you regularly check the information you are sending, most can be configured to turn features on and off and check after each update. We are no longer striding towards an internet connected world we are now running downhill towards anything and everything being connected without regard for security and safety. It may seem like an inconvenience to have authentication to be able to turn your heated seats or steering wheel on when it’s cold and icy in the morning but it’s better than having another portion of your private lives exposed for all to see and plunder.

  • What can other car manufacturers learn from this?

If you’re going to connect to the internet from anywhere you have to ensure authentication is in place. Every new feature you implement or cutting edge advantage you use to sell your cars has to be pitched from the “what if” angle of it being compromised. People are definitely getting more tech savvy and just because you can does not mean you should. Yes, we want our smartphones to do everything but we also want to feel safe and secure. The small advantage of having remote features will pale into insignificance if and when your data is compromised and you lose the trust of your precious users.

  • What should Nissan do now?

Simply suspend the service until it’s safe to use again, doing nothing will not make it any more secure.

Craig Young, Security Researcher at Tripwire:

While cloud connected car technology is in its infancy, it is likely that we will continue to hear about privacy and security related issues. Generally speaking any service (but especially services pertaining to connected cars) should not be authenticated based on non-private data. For example, with a service like this, it would be better to have an authentication token provided to clients upon login and then used as an access control to prove that the client is authorized to perform actions on that VIN. I would recommend that Nissan consider implementing a 2-factor authentication for added protection.  This could be as simple as having a more involved first time setup in which mobile devices are issued a device token which will subsequently be sent along with a username and password when connecting to the service.

Fortunately in this case I would not expect there to be any safety concerns but the possibility remains that this flaw could be used in conjunction with other vulnerabilities to further compromise a connected car. The possibility of pivoting out of non-safety critical systems and into a vehicle’s head end unit was famously demonstrated by Charlie Miller and Chris Valasek at Black Hat 2015.



Join the Conversation

Join the Conversation


In this article