Nissan Forgets Security Exists, Opens Leaf Owners To Remote Attack
from the Internet-of-unsecured-things dept
You can add Nissan to the laundry list of companies that aren’t making security a priority in the Internet of Things era. A hacker this week revealed that vulnerabilities in the Nissan Leaf companion app allows an attacker to not only track a driver’s driving behavior, but to physically control the Leaf’s heating and cooling systems. Not quite as severe some other car vulnerabilities that open vehicles to total control, the vulnerability still allows a hacker to cause some notable trouble by running down the Leaf’s batteries, potentially leaving an owner stranded.
Australian security researcher Troy Hunt stated he gave Nissan a month to fix the vulnerability before publicizing it, acting in part because he was already seeing online forum posters providing a web address used to spoof the app. Basically, Hunt notes that people simply need to write down a Leaf owner’s VIN number, and they’d be able to use a web browser to fool Nissan’s servers into controlling the Leaf’s systems remotely. Like so many IOT flaws, Hunt notes that security wasn’t just weak, it was non-existent. As in, no attempt at authentication at all:
“The right thing to do at the moment would be for Nissan to turn it off altogether,” Mr Hunt told the BBC. “They are going to have to let customers know. And to be honest, a fix would not be hard to do. “It’s not that they have done authorisation [on the app] badly, they just haven’t done it at all, which is bizarre.”
Again, that’s a major automaker not just imposing bad security, but not even bothering with security period. Hackers can use the trick to collect Leaf owners’ names, as well as the duration, time and distance of recent trips. It’s also relatively simple to write a script that would move through potential VIN numbers to find cars to control — and people’s days to ruin:
“The initial characters of a Vin refer to the brand, make of car, and country of manufacture/location of the firm’s headquarters. So, Mr Hunt said, it would only be the final numbers that varied between different Nissan Leafs based in the same region. Normally it’s only the last five digits that differ,” he explained. “There’s nothing to stop someone from scripting a process that goes through every 100,000 possible cars and tries and turn the air conditioning on in every one. “They would then get a response that would confirm which vehicles exist.”
Fortunately for Leaf owners, this is a fix that doesn’t require waiting for Nissan, since simply unregistering the CarWings companion app prevents the attack. Nissan has yet to comment, likely because the company, like most automakers, is moving glacially to understand and replicate the vulnerability. GM, you’ll recall, took five years to fix a flaw that allowed total remote control of some of its vehicles, a glacial cadence that’s just not going to cut it in the IOT age.