IoT
2/25/2016
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Nissan Disables LEAFs Remote Telematics System After Profoundly Trivial Hack

All that is needed to gain access to any LEAF's telematics system is the car's VIN, researcher says.

Automaker Nissan Motor Company has temporarily disabled a remote telematics system in its LEAF electric vehicles after a security researcher showed how attackers could abuse it to gain access to the car’s battery charging and climate control systems from literally anywhere in the world.

In an emailed statement to Dark Reading, Nissan said its NissanConnect EV app is currently unavailable following the security researcher’s disclosure and Nissan’s own internal investigation of the issue. The statement described the problem as involving the dedicated server for the NissanConnect app, which enables remote control of the LEAF’s temperature control system and other telematics.

“No other critical driving elements of the Nissan LEAF are affected, and our 200,000 LEAF drivers across the world can continue to use their cars safely and with total confidence,” the statement read. “The only functions that are affected are those controlled via the mobile phone – all of which are still available to be used manually, as with any standard vehicle.”

Nissan’s move to temporarily disable the NissanConnect EV app follows Australian security researcher Troy Hunt’s description this week of a method to take remote control of the system on any LEAF vehicle, using little more than the car’s Vehicle Identification Number (VIN).

According to Hunt, the problem has to do with the Application Programming Interface (API) that brokers the connection between the user’s smartphone and Nissan’s app servers. The manner in which the NissanConnect’s APIs authenticates requests to the services running on the back end servers are so weak that a VIN is all that is needed for someone to access and remotely control a LEAF’s telematics system.

Hunt said that when he looked at how the NissanConnect mobile app talked to the online service, he found the service responding to app requests without requiring any authentication beyond just the VIN. In other words, there was nothing to tie API calls made by the mobile app to a specific vehicle. Without even logging into the Nissan system, or authenticating identity in any way, an attacker could control the telematics on any NissanConnect-enabled vehicle anywhere, using its VIN.

In addition to gathering information like the battery charge status, the vehicle’s movements and when the vehicle was last operated, an attacker could use the vulnerability to potentially drain the battery by turning the climate control on and off.

From a pure security standpoint, the vulnerability is much less severe than previously discovered flaws in connected vehicles that allow attackers to take control of critical safety systems such as the vehicle’s braking, steering, and transmission functions.

But the breathtaking ease with which it can be exploited is disturbing, Hunt noted. The unique VIN for each LEAF is at the bottom of the front windscreen and is visible from the outside, so getting a VIN is not difficult. It’s also possible to find VINs for LEAF or any other vehicle on the web with little difficulty.

“Gaining access to vehicle controls in this fashion doesn’t get much easier – it’s profoundly trivial,” Hunt wrote. “As car manufacturers rush towards joining in on the “Internet of things” craze, security cannot be an afterthought nor something we’re told they take seriously after realizing that they didn’t take it seriously enough in the first place,” he said.

The incident is sure to fuel further concerns about the attention that automakers are paying to securing connected cars against remote attacks. Over the past few years security researchers have demoed multiple remote attacks against connected vehicles prompting concern from lawmakers and transportation safety officials alike.

Hunt’s demonstration of how easy it is to decipher the communication between the car and the back end server highlights how security is often an afterthought when companies Internet-enable various technologies said Reiner Kappenberger, global product manager for HPE Security. “We are lucky in this case that the attacks were only focused on functionality in the air-conditioning and heating system of the car and were done by a ‘white hat’ and not a criminally minded black hat hacker,” he said in a statement.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Yomphana
50%
50%
Yomphana,
User Rank: Apprentice
2/25/2016 | 6:13:58 PM
Multi-level authentication
It would be great if the system could authenticate with the VIN and customerID number assuming that isn't too simple.   Or send a pin number to the phone number affliliateed with the VIN (assuming you can't hack and reset the number to a hacker's).  Registration numbers are unique but I wonder if that would have any privacy issues. Regardless multi-level authentication is our friend.
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8354
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.
CVE-2019-8355
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
CVE-2019-8356
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
CVE-2019-8357
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.
CVE-2013-2516
PUBLISHED: 2019-02-15
Vulnerability in FileUtils v0.7, Ruby Gem Fileutils <= v0.7 Command Injection vulnerability in user supplied url variable that is passed to the shell.