Nissan Forgets Security Exists, Opens Leaf Owners To Remote Attack
from the Internet-of-unsecured-things dept
You can add Nissan to the laundry list of companies that aren’t making security a priority in the Internet of Things era. A hacker this week revealed that vulnerabilities in the Nissan Leaf companion app allows an attacker to not only track a driver’s driving behavior, but to physically control the Leaf’s heating and cooling systems. Not quite as severe some other car vulnerabilities that open vehicles to total control, the vulnerability still allows a hacker to cause some notable trouble by running down the Leaf’s batteries, potentially leaving an owner stranded.
Australian security researcher Troy Hunt stated he gave Nissan a month to fix the vulnerability before publicizing it, acting in part because he was already seeing online forum posters providing a web address used to spoof the app. Basically, Hunt notes that people simply need to write down a Leaf owner’s VIN number, and they’d be able to use a web browser to fool Nissan’s servers into controlling the Leaf’s systems remotely. Like so many IOT flaws, Hunt notes that security wasn’t just weak, it was non-existent. As in, no attempt at authentication at all:
“The right thing to do at the moment would be for Nissan to turn it off altogether,” Mr Hunt told the BBC. “They are going to have to let customers know. And to be honest, a fix would not be hard to do. “It’s not that they have done authorisation [on the app] badly, they just haven’t done it at all, which is bizarre.”
Again, that’s a major automaker not just imposing bad security, but not even bothering with security period. Hackers can use the trick to collect Leaf owners’ names, as well as the duration, time and distance of recent trips. It’s also relatively simple to write a script that would move through potential VIN numbers to find cars to control — and people’s days to ruin:
“The initial characters of a Vin refer to the brand, make of car, and country of manufacture/location of the firm’s headquarters. So, Mr Hunt said, it would only be the final numbers that varied between different Nissan Leafs based in the same region. Normally it’s only the last five digits that differ,” he explained. “There’s nothing to stop someone from scripting a process that goes through every 100,000 possible cars and tries and turn the air conditioning on in every one. “They would then get a response that would confirm which vehicles exist.”
Fortunately for Leaf owners, this is a fix that doesn’t require waiting for Nissan, since simply unregistering the CarWings companion app prevents the attack. Nissan has yet to comment, likely because the company, like most automakers, is moving glacially to understand and replicate the vulnerability. GM, you’ll recall, took five years to fix a flaw that allowed total remote control of some of its vehicles, a glacial cadence that’s just not going to cut it in the IOT age.
Filed Under: authentication, iot, nissan leaf, security
Companies: nissan
Comments on “Nissan Forgets Security Exists, Opens Leaf Owners To Remote Attack”
Not only have they forgotten security, they have an inbuilt insecurity. Nissan gets hacked, and the hacker pwns all Nissan cars.
Re: Re:
Nissan gets hacked, and the hacker pwns all Nissan cars.
You’re either not reading carefully or not writing carefully, because that is not what this article says.
If the cars software can be updated from the internet- which it almost certainly can be (to lazy to look up)… This isn’t even the tip of the iceburg of what the cars true vulnerability is.
Cars’ critical systems should not be connected to the internet, period. It’s unbelievably stupid and negligent the way allot of cars are being designed these days.
Re: Re:
as awful as this is, it DOES NOT seem to involve critical systems. the vary worst they can do is turn on your A/C, running down your battery. Critical systems would mean, changing the cruse, activating the breaks, turning the wheel, changing the throttle. Thankfully, Nissan was not stupid enough to hook any critical systems to the network… YET.
Re: Re: Firewall fail
Just how strong is the firewall between the critical/non critical sides as they do have to communicate with each other at some point in the start up/power down cycle?
Can’t keep the AC running after the car is turned off so some comm is in place.
Re: Re: Re: Firewall fail
Can’t keep the AC running after the car is turned off so some comm is in place.
I don’t know one way or the other but I don’t think that proves the systems are connected. The main system could just cut the power to the A/C pump when the engine is turned off rather than sending a signal to the climate control/nav/entertainment system to do it.
Re: Re: Re:
Define critical. If it’s hot enough out to cause heat exhaustion, turning off the air conditioning and turning on the heater could (at least in theory) kill someone.
It seems that people want to make fun of me for not accepting IoT into my private life. Things that surface like this are coming up more and more frequently. If security on a car, which is of far more value than say a toaster or refrigerator, isn’t considered, pray tell why I would want a lower valued item with the high likelihood of having the same amount of security would be acceptable?
The last thing in the world I want is to have a toaster some bored young teen decided would be nice to burn up and take a house with it. It’s bad enough that all these corporations want to know everything about you through these IoTs but just like the commercial and ad groups they want all the problems to be on your end and just dumbly accept what they are dishing out to satisfy their insatiable need to collect data, putting all the risk on you.
This is exactly the same mentality and I refuse to accept it as business as usual.
Re: Re:
I agree. I recently updated my furnace and A/C and it came with a “free” web enabled thermostat. I had to get clearance from the the company to “downgrade” without it costing me money (which the did) as I don’t need the headache of it.
… to not only track a driver’s driving behavior
Which means that it’s now possible to stalk every single person driving every single one of these cars (if the app is active).
Which in turn means that it’s possible not only to strand them (by exhausting the vehicle’s power) but to choose WHEN and WHERE to strand them.
Looking on down the road...
If they cannot get these things right how are they going to secure my self drive car so that I and only I can call it to come and pick me up from whatever parking space if found on its own?
In the meantime the IoT can stay on the Internet and out of my things.
It’s VIN!
Nissan’s connected car app offline after shocking vulnerability revealed
http://arstechnica.com/cars/2016/02/nissans-connected-car-app-offline-after-shocking-vulnerability-revealed/
Hardware makers don't know software
I think the biggest problem with IoT manufacturers is that, primarily, they are hardware makers, not software. They are moving into a field they have no real experience in, and it’s showing.
They may have some software people to make the firmware and low-level software that makes the hardware work, but they don’t know anything about “IT” services. At a minimum, the senior people don’t know about it, so security is an after-thought. It’s not needed for the hardware, so no one thinks about it when it comes to Internet connections.
Re: Hardware makers don't know software
I think this misses the mark a bit for two reasons. First, the line between “hardware” and “software” has been so fuzzy for so long that pretty much all hardware engineers are also software engineers — they’re just specialist software engineers.
Second, the general population of software engineers doesn’t do much better when it comes to software security. Software security all by itself is a specialty.
What needs to be done is something that would help resolve this problem altogether: the establishment of best practices that engineers are expected to follow to minimize security problems.
Told you, we will find ourselves wishing we had ‘dumb’ things if this IOT thing moves forward the way it is now.
Meanwhile, when they found a way to hack into a Tesla a few months back–which required physical, not remote, access–Tesla pushed a software patch out to all affected cars within days.
VIN
Normally it’s only the last five digits that differ,” he explained.
So what happens with the 100,001st Leaf? Reused VIN? I have heard Honda and maybe some other manufacturers reuse VINs – I don’t get why that’s even allowed.
GM, you’ll recall, took five years to fix a flaw that allowed total remote control of some of its vehicles, a glacial cadence that’s just not going to cut it in the IOT age.
It is if people keep buying the products.
Re: VIN
According to Wikipedia, it’s actually the last 8 digits that differ. #10 identifies the model year, #11 identifies the plant at which it was manufactured, and #12-17 are a serial number for the car. Therefore, if one plant manufactured more than 1 million Leafs (Leaves?) in one year, it would break this scheme, but that’s not likely.
Re: Re: VIN
Therefore, if one plant manufactured more than 1 million Leafs (Leaves?) in one year, it would break this scheme, but that’s not likely.
Oh, good. I’m not sure anything has ever sold over a million in one year, and if so it’s been a very long time. Plus if they ever got close to that they would probably have multiple plants making them.
Re: Re: VIN
I can tell you that the last 8 generally are unique but not always. Chrysler used to duplicate the last at times.
Leaf Blower !
(Sorry, couldn’t resist.)
Leaf Blower !
(Sorry, couldn’t resist.)
does not involve critical systems
I did some research into this subject last year when car shopping. The ONLY manufacturer I found that WASN’T doing everything on a single bus (ie crit systems possibly accessible from internet) was Audi. Audi has a separate network for critical stuff.
Admittedly though- Nissan wasn’t even on my radar, so I never checked them.
Re: does not involve critical systems
Like emissions checking?
Critical systems vulernable?
Some people seem to think that’s not too bad if the critical systems aren’t vulernable.
What about the other problems?
– The hackers can get the owner’s personal information, including home address.
– The hackers can watch and see when the owners leave.
– Then the hackers and their team can rob the house, while one of the hacker keeps an eye on the tracker to know when the car is heading home.
– Then if the car getting too close, fire up the controls to drain the battery and keep the owner stranded.
But at least the hackers can’t do anything to the car.
Re: Critical systems vulernable?
Some people seem to think that’s not too bad if the critical systems aren’t vulernable.
I think they’re saying it’s not as bad. Not that it isn’t bad or that it’s acceptable.