Nissan Forgets Security Exists, Opens Leaf Owners To Remote Attack

from the Internet-of-unsecured-things dept

You can add Nissan to the laundry list of companies that aren’t making security a priority in the Internet of Things era. A hacker this week revealed that vulnerabilities in the Nissan Leaf companion app allows an attacker to not only track a driver’s driving behavior, but to physically control the Leaf’s heating and cooling systems. Not quite as severe some other car vulnerabilities that open vehicles to total control, the vulnerability still allows a hacker to cause some notable trouble by running down the Leaf’s batteries, potentially leaving an owner stranded.

Australian security researcher Troy Hunt stated he gave Nissan a month to fix the vulnerability before publicizing it, acting in part because he was already seeing online forum posters providing a web address used to spoof the app. Basically, Hunt notes that people simply need to write down a Leaf owner’s VIN number, and they’d be able to use a web browser to fool Nissan’s servers into controlling the Leaf’s systems remotely. Like so many IOT flaws, Hunt notes that security wasn’t just weak, it was non-existent. As in, no attempt at authentication at all:

“The right thing to do at the moment would be for Nissan to turn it off altogether,” Mr Hunt told the BBC. “They are going to have to let customers know. And to be honest, a fix would not be hard to do. “It’s not that they have done authorisation [on the app] badly, they just haven’t done it at all, which is bizarre.”

Again, that’s a major automaker not just imposing bad security, but not even bothering with security period. Hackers can use the trick to collect Leaf owners’ names, as well as the duration, time and distance of recent trips. It’s also relatively simple to write a script that would move through potential VIN numbers to find cars to control — and people’s days to ruin:

“The initial characters of a Vin refer to the brand, make of car, and country of manufacture/location of the firm’s headquarters. So, Mr Hunt said, it would only be the final numbers that varied between different Nissan Leafs based in the same region. Normally it’s only the last five digits that differ,” he explained. “There’s nothing to stop someone from scripting a process that goes through every 100,000 possible cars and tries and turn the air conditioning on in every one. “They would then get a response that would confirm which vehicles exist.”

Fortunately for Leaf owners, this is a fix that doesn’t require waiting for Nissan, since simply unregistering the CarWings companion app prevents the attack. Nissan has yet to comment, likely because the company, like most automakers, is moving glacially to understand and replicate the vulnerability. GM, you’ll recall, took five years to fix a flaw that allowed total remote control of some of its vehicles, a glacial cadence that’s just not going to cut it in the IOT age.

Filed Under: , , ,
Companies: nissan

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Nissan Forgets Security Exists, Opens Leaf Owners To Remote Attack”

Subscribe: RSS Leave a comment
27 Comments
Anonymous Coward says:

If the cars software can be updated from the internet- which it almost certainly can be (to lazy to look up)… This isn’t even the tip of the iceburg of what the cars true vulnerability is.

Cars’ critical systems should not be connected to the internet, period. It’s unbelievably stupid and negligent the way allot of cars are being designed these days.

Anonymous Coward says:

Re: Re:

as awful as this is, it DOES NOT seem to involve critical systems. the vary worst they can do is turn on your A/C, running down your battery. Critical systems would mean, changing the cruse, activating the breaks, turning the wheel, changing the throttle. Thankfully, Nissan was not stupid enough to hook any critical systems to the network… YET.

nasch (profile) says:

Re: Re: Re: Firewall fail

Can’t keep the AC running after the car is turned off so some comm is in place.

I don’t know one way or the other but I don’t think that proves the systems are connected. The main system could just cut the power to the A/C pump when the engine is turned off rather than sending a signal to the climate control/nav/entertainment system to do it.

Anonymous Coward says:

It seems that people want to make fun of me for not accepting IoT into my private life. Things that surface like this are coming up more and more frequently. If security on a car, which is of far more value than say a toaster or refrigerator, isn’t considered, pray tell why I would want a lower valued item with the high likelihood of having the same amount of security would be acceptable?

The last thing in the world I want is to have a toaster some bored young teen decided would be nice to burn up and take a house with it. It’s bad enough that all these corporations want to know everything about you through these IoTs but just like the commercial and ad groups they want all the problems to be on your end and just dumbly accept what they are dishing out to satisfy their insatiable need to collect data, putting all the risk on you.

This is exactly the same mentality and I refuse to accept it as business as usual.

Cody Jackson (profile) says:

Hardware makers don't know software

I think the biggest problem with IoT manufacturers is that, primarily, they are hardware makers, not software. They are moving into a field they have no real experience in, and it’s showing.

They may have some software people to make the firmware and low-level software that makes the hardware work, but they don’t know anything about “IT” services. At a minimum, the senior people don’t know about it, so security is an after-thought. It’s not needed for the hardware, so no one thinks about it when it comes to Internet connections.

John Fenderson (profile) says:

Re: Hardware makers don't know software

I think this misses the mark a bit for two reasons. First, the line between “hardware” and “software” has been so fuzzy for so long that pretty much all hardware engineers are also software engineers — they’re just specialist software engineers.

Second, the general population of software engineers doesn’t do much better when it comes to software security. Software security all by itself is a specialty.

What needs to be done is something that would help resolve this problem altogether: the establishment of best practices that engineers are expected to follow to minimize security problems.

Mason Wheeler (profile) says:

Nissan has yet to comment, likely because the company, like most automakers, is moving glacially to understand and replicate the vulnerability. GM, you’ll recall, took five years to fix a flaw that allowed total remote control of some of its vehicles, a glacial cadence that’s just not going to cut it in the IOT age.

Meanwhile, when they found a way to hack into a Tesla a few months back–which required physical, not remote, access–Tesla pushed a software patch out to all affected cars within days.

nasch (profile) says:

VIN

Normally it’s only the last five digits that differ,” he explained.

So what happens with the 100,001st Leaf? Reused VIN? I have heard Honda and maybe some other manufacturers reuse VINs – I don’t get why that’s even allowed.

GM, you’ll recall, took five years to fix a flaw that allowed total remote control of some of its vehicles, a glacial cadence that’s just not going to cut it in the IOT age.

It is if people keep buying the products.

Mason Wheeler (profile) says:

Re: VIN

So what happens with the 100,001st Leaf? Reused VIN?

According to Wikipedia, it’s actually the last 8 digits that differ. #10 identifies the model year, #11 identifies the plant at which it was manufactured, and #12-17 are a serial number for the car. Therefore, if one plant manufactured more than 1 million Leafs (Leaves?) in one year, it would break this scheme, but that’s not likely.

nasch (profile) says:

Re: Re: VIN

Therefore, if one plant manufactured more than 1 million Leafs (Leaves?) in one year, it would break this scheme, but that’s not likely.

Oh, good. I’m not sure anything has ever sold over a million in one year, and if so it’s been a very long time. Plus if they ever got close to that they would probably have multiple plants making them.

Anonymous Coward says:

does not involve critical systems

I did some research into this subject last year when car shopping. The ONLY manufacturer I found that WASN’T doing everything on a single bus (ie crit systems possibly accessible from internet) was Audi. Audi has a separate network for critical stuff.

Admittedly though- Nissan wasn’t even on my radar, so I never checked them.

John85851 (profile) says:

Critical systems vulernable?

Some people seem to think that’s not too bad if the critical systems aren’t vulernable.
What about the other problems?
– The hackers can get the owner’s personal information, including home address.
– The hackers can watch and see when the owners leave.
– Then the hackers and their team can rob the house, while one of the hacker keeps an eye on the tracker to know when the car is heading home.
– Then if the car getting too close, fire up the controls to drain the battery and keep the owner stranded.

But at least the hackers can’t do anything to the car.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...