Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
2/25/2016
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Nissan Disables LEAFs Remote Telematics System After Profoundly Trivial Hack

All that is needed to gain access to any LEAF's telematics system is the car's VIN, researcher says.

Automaker Nissan Motor Company has temporarily disabled a remote telematics system in its LEAF electric vehicles after a security researcher showed how attackers could abuse it to gain access to the car’s battery charging and climate control systems from literally anywhere in the world.

In an emailed statement to Dark Reading, Nissan said its NissanConnect EV app is currently unavailable following the security researcher’s disclosure and Nissan’s own internal investigation of the issue. The statement described the problem as involving the dedicated server for the NissanConnect app, which enables remote control of the LEAF’s temperature control system and other telematics.

“No other critical driving elements of the Nissan LEAF are affected, and our 200,000 LEAF drivers across the world can continue to use their cars safely and with total confidence,” the statement read. “The only functions that are affected are those controlled via the mobile phone – all of which are still available to be used manually, as with any standard vehicle.”

Nissan’s move to temporarily disable the NissanConnect EV app follows Australian security researcher Troy Hunt’s description this week of a method to take remote control of the system on any LEAF vehicle, using little more than the car’s Vehicle Identification Number (VIN).

According to Hunt, the problem has to do with the Application Programming Interface (API) that brokers the connection between the user’s smartphone and Nissan’s app servers. The manner in which the NissanConnect’s APIs authenticates requests to the services running on the back end servers are so weak that a VIN is all that is needed for someone to access and remotely control a LEAF’s telematics system.

Hunt said that when he looked at how the NissanConnect mobile app talked to the online service, he found the service responding to app requests without requiring any authentication beyond just the VIN. In other words, there was nothing to tie API calls made by the mobile app to a specific vehicle. Without even logging into the Nissan system, or authenticating identity in any way, an attacker could control the telematics on any NissanConnect-enabled vehicle anywhere, using its VIN.

In addition to gathering information like the battery charge status, the vehicle’s movements and when the vehicle was last operated, an attacker could use the vulnerability to potentially drain the battery by turning the climate control on and off.

From a pure security standpoint, the vulnerability is much less severe than previously discovered flaws in connected vehicles that allow attackers to take control of critical safety systems such as the vehicle’s braking, steering, and transmission functions.

But the breathtaking ease with which it can be exploited is disturbing, Hunt noted. The unique VIN for each LEAF is at the bottom of the front windscreen and is visible from the outside, so getting a VIN is not difficult. It’s also possible to find VINs for LEAF or any other vehicle on the web with little difficulty.

“Gaining access to vehicle controls in this fashion doesn’t get much easier – it’s profoundly trivial,” Hunt wrote. “As car manufacturers rush towards joining in on the “Internet of things” craze, security cannot be an afterthought nor something we’re told they take seriously after realizing that they didn’t take it seriously enough in the first place,” he said.

The incident is sure to fuel further concerns about the attention that automakers are paying to securing connected cars against remote attacks. Over the past few years security researchers have demoed multiple remote attacks against connected vehicles prompting concern from lawmakers and transportation safety officials alike.

Hunt’s demonstration of how easy it is to decipher the communication between the car and the back end server highlights how security is often an afterthought when companies Internet-enable various technologies said Reiner Kappenberger, global product manager for HPE Security. “We are lucky in this case that the attacks were only focused on functionality in the air-conditioning and heating system of the car and were done by a ‘white hat’ and not a criminally minded black hat hacker,” he said in a statement.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Yomphana
50%
50%
Yomphana,
User Rank: Apprentice
2/25/2016 | 6:13:58 PM
Multi-level authentication
It would be great if the system could authenticate with the VIN and customerID number assuming that isn't too simple.   Or send a pin number to the phone number affliliateed with the VIN (assuming you can't hack and reset the number to a hacker's).  Registration numbers are unique but I wonder if that would have any privacy issues. Regardless multi-level authentication is our friend.
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jim, stop pretending you're drowning in tickets."
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1575
PUBLISHED: 2019-07-16
Information disclosure in PAN-OS 7.1.23 and earlier, PAN-OS 8.0.18 and earlier, PAN-OS 8.1.8-h4 and earlier, and PAN-OS 9.0.2 and earlier may allow for an authenticated user with read-only privileges to extract the API key of the device and/or the username/password from the XML API (in PAN-OS) and p...
CVE-2019-1576
PUBLISHED: 2019-07-16
Command injection in PAN-0S 9.0.2 and earlier may allow an authenticated attacker to gain access to a remote shell in PAN-OS, and potentially run with the escalated user?s permissions.
CVE-2018-19629
PUBLISHED: 2019-07-16
A Denial of Service vulnerability in the ImageNow Server service in Hyland Perceptive Content Server before 7.1.5 allows an attacker to crash the service via a TCP connection.
CVE-2019-10100
PUBLISHED: 2019-07-16
Quake3e < 5ed740d is affected by: Buffer Overflow. The impact is: Possible code execution and denial of service. The component is: Argument string creation.
CVE-2019-10100
PUBLISHED: 2019-07-16
UPX 3.95 is affected by: Integer Overflow. The impact is: attacker can cause a denial of service. The component is: src/p_lx_elf.cpp PackLinuxElf32::PackLinuxElf32help1() Line 262. The attack vector is: the victim must open a specially crafted ELF file.