IoT
2/25/2016
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Nissan Disables LEAF’s Remote Telematics System After ‘Profoundly Trivial’ Hack

All that is needed to gain access to any LEAF's telematics system is the car's VIN, researcher says.

Automaker Nissan Motor Company has temporarily disabled a remote telematics system in its LEAF electric vehicles after a security researcher showed how attackers could abuse it to gain access to the car’s battery charging and climate control systems from literally anywhere in the world.

In an emailed statement to Dark Reading, Nissan said its NissanConnect EV app is currently unavailable following the security researcher’s disclosure and Nissan’s own internal investigation of the issue. The statement described the problem as involving the dedicated server for the NissanConnect app, which enables remote control of the LEAF’s temperature control system and other telematics.

“No other critical driving elements of the Nissan LEAF are affected, and our 200,000 LEAF drivers across the world can continue to use their cars safely and with total confidence,” the statement read. “The only functions that are affected are those controlled via the mobile phone – all of which are still available to be used manually, as with any standard vehicle.”

Nissan’s move to temporarily disable the NissanConnect EV app follows Australian security researcher Troy Hunt’s description this week of a method to take remote control of the system on any LEAF vehicle, using little more than the car’s Vehicle Identification Number (VIN).

According to Hunt, the problem has to do with the Application Programming Interface (API) that brokers the connection between the user’s smartphone and Nissan’s app servers. The manner in which the NissanConnect’s APIs authenticates requests to the services running on the back end servers are so weak that a VIN is all that is needed for someone to access and remotely control a LEAF’s telematics system.

Hunt said that when he looked at how the NissanConnect mobile app talked to the online service, he found the service responding to app requests without requiring any authentication beyond just the VIN. In other words, there was nothing to tie API calls made by the mobile app to a specific vehicle. Without even logging into the Nissan system, or authenticating identity in any way, an attacker could control the telematics on any NissanConnect-enabled vehicle anywhere, using its VIN.

In addition to gathering information like the battery charge status, the vehicle’s movements and when the vehicle was last operated, an attacker could use the vulnerability to potentially drain the battery by turning the climate control on and off.

From a pure security standpoint, the vulnerability is much less severe than previously discovered flaws in connected vehicles that allow attackers to take control of critical safety systems such as the vehicle’s braking, steering, and transmission functions.

But the breathtaking ease with which it can be exploited is disturbing, Hunt noted. The unique VIN for each LEAF is at the bottom of the front windscreen and is visible from the outside, so getting a VIN is not difficult. It’s also possible to find VINs for LEAF or any other vehicle on the web with little difficulty.

“Gaining access to vehicle controls in this fashion doesn’t get much easier – it’s profoundly trivial,” Hunt wrote. “As car manufacturers rush towards joining in on the “Internet of things” craze, security cannot be an afterthought nor something we’re told they take seriously after realizing that they didn’t take it seriously enough in the first place,” he said.

The incident is sure to fuel further concerns about the attention that automakers are paying to securing connected cars against remote attacks. Over the past few years security researchers have demoed multiple remote attacks against connected vehicles prompting concern from lawmakers and transportation safety officials alike.

Hunt’s demonstration of how easy it is to decipher the communication between the car and the back end server highlights how security is often an afterthought when companies Internet-enable various technologies said Reiner Kappenberger, global product manager for HPE Security. “We are lucky in this case that the attacks were only focused on functionality in the air-conditioning and heating system of the car and were done by a ‘white hat’ and not a criminally minded black hat hacker,” he said in a statement.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Yomphana
50%
50%
Yomphana,
User Rank: Apprentice
2/25/2016 | 6:13:58 PM
Multi-level authentication
It would be great if the system could authenticate with the VIN and customerID number assuming that isn't too simple.   Or send a pin number to the phone number affliliateed with the VIN (assuming you can't hack and reset the number to a hacker's).  Registration numbers are unique but I wonder if that would have any privacy issues. Regardless multi-level authentication is our friend.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
8 Key Building Blocks for Enterprise Network Defense
Networks are changing rapidly -- and so are strategies for protecting them. This Tech Digest looks at the fundamentals for the next-gen environment.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In this episode of Dark Reading Radio, veteran CISOs will share their experience and insight into how organizations can get the best bang for their security buck.