Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
2/25/2016
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Nissan Disables LEAF’s Remote Telematics System After ‘Profoundly Trivial’ Hack

All that is needed to gain access to any LEAF's telematics system is the car's VIN, researcher says.

Automaker Nissan Motor Company has temporarily disabled a remote telematics system in its LEAF electric vehicles after a security researcher showed how attackers could abuse it to gain access to the car’s battery charging and climate control systems from literally anywhere in the world.

In an emailed statement to Dark Reading, Nissan said its NissanConnect EV app is currently unavailable following the security researcher’s disclosure and Nissan’s own internal investigation of the issue. The statement described the problem as involving the dedicated server for the NissanConnect app, which enables remote control of the LEAF’s temperature control system and other telematics.

“No other critical driving elements of the Nissan LEAF are affected, and our 200,000 LEAF drivers across the world can continue to use their cars safely and with total confidence,” the statement read. “The only functions that are affected are those controlled via the mobile phone – all of which are still available to be used manually, as with any standard vehicle.”

Nissan’s move to temporarily disable the NissanConnect EV app follows Australian security researcher Troy Hunt’s description this week of a method to take remote control of the system on any LEAF vehicle, using little more than the car’s Vehicle Identification Number (VIN).

According to Hunt, the problem has to do with the Application Programming Interface (API) that brokers the connection between the user’s smartphone and Nissan’s app servers. The manner in which the NissanConnect’s APIs authenticates requests to the services running on the back end servers are so weak that a VIN is all that is needed for someone to access and remotely control a LEAF’s telematics system.

Hunt said that when he looked at how the NissanConnect mobile app talked to the online service, he found the service responding to app requests without requiring any authentication beyond just the VIN. In other words, there was nothing to tie API calls made by the mobile app to a specific vehicle. Without even logging into the Nissan system, or authenticating identity in any way, an attacker could control the telematics on any NissanConnect-enabled vehicle anywhere, using its VIN.

In addition to gathering information like the battery charge status, the vehicle’s movements and when the vehicle was last operated, an attacker could use the vulnerability to potentially drain the battery by turning the climate control on and off.

From a pure security standpoint, the vulnerability is much less severe than previously discovered flaws in connected vehicles that allow attackers to take control of critical safety systems such as the vehicle’s braking, steering, and transmission functions.

But the breathtaking ease with which it can be exploited is disturbing, Hunt noted. The unique VIN for each LEAF is at the bottom of the front windscreen and is visible from the outside, so getting a VIN is not difficult. It’s also possible to find VINs for LEAF or any other vehicle on the web with little difficulty.

“Gaining access to vehicle controls in this fashion doesn’t get much easier – it’s profoundly trivial,” Hunt wrote. “As car manufacturers rush towards joining in on the “Internet of things” craze, security cannot be an afterthought nor something we’re told they take seriously after realizing that they didn’t take it seriously enough in the first place,” he said.

The incident is sure to fuel further concerns about the attention that automakers are paying to securing connected cars against remote attacks. Over the past few years security researchers have demoed multiple remote attacks against connected vehicles prompting concern from lawmakers and transportation safety officials alike.

Hunt’s demonstration of how easy it is to decipher the communication between the car and the back end server highlights how security is often an afterthought when companies Internet-enable various technologies said Reiner Kappenberger, global product manager for HPE Security. “We are lucky in this case that the attacks were only focused on functionality in the air-conditioning and heating system of the car and were done by a ‘white hat’ and not a criminally minded black hat hacker,” he said in a statement.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Yomphana
50%
50%
Yomphana,
User Rank: Apprentice
2/25/2016 | 6:13:58 PM
Multi-level authentication
It would be great if the system could authenticate with the VIN and customerID number assuming that isn't too simple.   Or send a pin number to the phone number affliliateed with the VIN (assuming you can't hack and reset the number to a hacker's).  Registration numbers are unique but I wonder if that would have any privacy issues. Regardless multi-level authentication is our friend.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19040
PUBLISHED: 2019-11-17
KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.
CVE-2019-19041
PUBLISHED: 2019-11-17
An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by th...
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.