Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
2/25/2016
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Nissan Disables LEAF’s Remote Telematics System After ‘Profoundly Trivial’ Hack

All that is needed to gain access to any LEAF's telematics system is the car's VIN, researcher says.

Automaker Nissan Motor Company has temporarily disabled a remote telematics system in its LEAF electric vehicles after a security researcher showed how attackers could abuse it to gain access to the car’s battery charging and climate control systems from literally anywhere in the world.

In an emailed statement to Dark Reading, Nissan said its NissanConnect EV app is currently unavailable following the security researcher’s disclosure and Nissan’s own internal investigation of the issue. The statement described the problem as involving the dedicated server for the NissanConnect app, which enables remote control of the LEAF’s temperature control system and other telematics.

“No other critical driving elements of the Nissan LEAF are affected, and our 200,000 LEAF drivers across the world can continue to use their cars safely and with total confidence,” the statement read. “The only functions that are affected are those controlled via the mobile phone – all of which are still available to be used manually, as with any standard vehicle.”

Nissan’s move to temporarily disable the NissanConnect EV app follows Australian security researcher Troy Hunt’s description this week of a method to take remote control of the system on any LEAF vehicle, using little more than the car’s Vehicle Identification Number (VIN).

According to Hunt, the problem has to do with the Application Programming Interface (API) that brokers the connection between the user’s smartphone and Nissan’s app servers. The manner in which the NissanConnect’s APIs authenticates requests to the services running on the back end servers are so weak that a VIN is all that is needed for someone to access and remotely control a LEAF’s telematics system.

Hunt said that when he looked at how the NissanConnect mobile app talked to the online service, he found the service responding to app requests without requiring any authentication beyond just the VIN. In other words, there was nothing to tie API calls made by the mobile app to a specific vehicle. Without even logging into the Nissan system, or authenticating identity in any way, an attacker could control the telematics on any NissanConnect-enabled vehicle anywhere, using its VIN.

In addition to gathering information like the battery charge status, the vehicle’s movements and when the vehicle was last operated, an attacker could use the vulnerability to potentially drain the battery by turning the climate control on and off.

From a pure security standpoint, the vulnerability is much less severe than previously discovered flaws in connected vehicles that allow attackers to take control of critical safety systems such as the vehicle’s braking, steering, and transmission functions.

But the breathtaking ease with which it can be exploited is disturbing, Hunt noted. The unique VIN for each LEAF is at the bottom of the front windscreen and is visible from the outside, so getting a VIN is not difficult. It’s also possible to find VINs for LEAF or any other vehicle on the web with little difficulty.

“Gaining access to vehicle controls in this fashion doesn’t get much easier – it’s profoundly trivial,” Hunt wrote. “As car manufacturers rush towards joining in on the “Internet of things” craze, security cannot be an afterthought nor something we’re told they take seriously after realizing that they didn’t take it seriously enough in the first place,” he said.

The incident is sure to fuel further concerns about the attention that automakers are paying to securing connected cars against remote attacks. Over the past few years security researchers have demoed multiple remote attacks against connected vehicles prompting concern from lawmakers and transportation safety officials alike.

Hunt’s demonstration of how easy it is to decipher the communication between the car and the back end server highlights how security is often an afterthought when companies Internet-enable various technologies said Reiner Kappenberger, global product manager for HPE Security. “We are lucky in this case that the attacks were only focused on functionality in the air-conditioning and heating system of the car and were done by a ‘white hat’ and not a criminally minded black hat hacker,” he said in a statement.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Yomphana
50%
50%
Yomphana,
User Rank: Apprentice
2/25/2016 | 6:13:58 PM
Multi-level authentication
It would be great if the system could authenticate with the VIN and customerID number assuming that isn't too simple.   Or send a pin number to the phone number affliliateed with the VIN (assuming you can't hack and reset the number to a hacker's).  Registration numbers are unique but I wonder if that would have any privacy issues. Regardless multi-level authentication is our friend.
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-9501
PUBLISHED: 2019-10-22
The Artificial Intelligence theme before 1.2.4 for WordPress has XSS because Genericons HTML files are unnecessarily placed under the web root.
CVE-2019-16971
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\messages\messages_thread.php uses an unsanitized "contact_uuid" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS.
CVE-2019-16972
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_addresses.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2019-16973
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_edit.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2015-9496
PUBLISHED: 2019-10-22
The freshmail-newsletter plugin before 1.6 for WordPress has shortcode.php SQL Injection via the 'FM_form id=' substring.