Nissan LEAF Open APIs Start the Hackers' Engines

By Tara Seals February 26, 2016

Completely unauthenticated APIs for the mobile app that goes with the Nissan LEAF have opened the door for hackers to remotely control the world’s best-selling electric vehicle.

In a stunning oversight in connected car security, security researchers Troy Hunt and Scott Helme found that an attacker with access to a vehicle’s VIN number (something that’s visible in the windshield of every Nissan LEAF) can control the climate control and other features of someone else’s car, literally from the other end of the earth. They can also check the battery status, and access a person’s driving history—including locations and times, which is of course a potential privacy nightmare.

All it takes is issuing GET requests to the NissanConnect EV app, a simple enough process for even a novice hacker.

“Anyone could potentially enumerate VINs and control the physical function of any vehicles that responded,” Hunt explained, in a blog. “That’s was a very serious issue. I reported it to Nissan the day after we discovered this, yet as of today – 32 days later – the issue remains unresolved.”

Hunt went on to say that the cat’s effectively out of the bag: Three separate parties contacted him, having found the issue independently, and the issue is being discussed openly in public forums.

The ramifications are clear. “Fortunately, the Nissan LEAF doesn't have features like remote unlock or remote start, like some vehicles from other manufacturers do, because that would be a disaster with what's been uncovered,” said Helme. “Still, a malicious actor could cause a great deal of problems for owners of the Nissan Leaf. Being able to remotely turn on the AC for a car might not seem like a problem, but this could put a significant drain on the battery over a period of time as the attacker can keep activating it.”

Which is the equivalent of emptying a gas tank, leaving someone stranded.

But perhaps the main concern is the fact that the telematics system in the car is leaking historic driving data.

“That's the details of every trip I've ever made in the car including when I made it, how far I drove and even how efficiently I drove,” Helme said. “This could easily be used to build up a profile of my driving habits, considering it goes back almost two years, and predict when I will be away from home. This kind of data should be collected and secured with the utmost respect for my privacy.”

Despite being notified and acknowledging the flaw to Hunt, Nissan has yet to publically comment on the issue or to issue a patch. In the meantime, car owners can disable the telematics part of the issue by logging out of the CarWings telematics service from their browser.

This is of course not the first time a connected car has been worryingly hacked. Last fall, U.S. auto giant Chrysler recalled 1.4 million cars (the 2015 model of the Dodge Ram pickup, Dodge’s Challenger and Viper, and the Jeep Cherokee and Grand Cherokee SUVs) after researchers demonstrated that the connected Jeep Cherokee could be hacked via the car’s internal 4G connection.

Security researchers Charlie Miller and Chris Valasek demonstrated – with an unsuspecting journalist driving 70mph on the freeway – that they could take over a car’s air-conditioning, in-dash system and windshield wipers remotely. Miller and Valasek also said that they could take control of the vehicle’s brakes and steering.

The issue demonstrates how important it is to secure APIs, the language of the connected device revolution. This is one of the topics of an upcoming conference on the interconnected ecosystem of technology solutions, services, apps and platforms that are powering more and more of our work and personal lives—All About the API will take place July 18-21 in Las Vegas.

Edited by Stefania Viscusi

Contributing Writer

Related Articles

Modern Moms Shaping Influence

By: Maurice Nagle    7/19/2018

Everyone knows Mom knows best. The internet is enabling a new era in sharing, and sparking a more enlightened, communal shopping experience. Mommy blo…

Read More

Why People Don't Update Their Computers

By: Special Guest    7/13/2018

When the WannaCry ransomware attacked companies all over the world in 2017, experts soon realized it was meant to be stopped by regular updating. Even…

Read More

More Intelligence About The New Intelligence

By: Rich Tehrani    7/9/2018

TMC recently announced the launch of three new artificial intelligence events under the banner of The New Intelligence. I recently spoke with TMC's Ex…

Read More

Technology, Innovation, and Compliance: How Businesses Approach the Digital Age

By: Special Guest    6/29/2018

Organizations must align internally to achieve effective innovation. Companies should consider creating cross-functional teams or, at a minimum, incre…

Read More

Contribute Your Brain Power to The New Intelligence

By: Paula Bernier    6/28/2018

The three events that are part of The New Intelligence are all about how businesses and service providers, and their customers, can benefit from artif…

Read More