Nissan LEAF Open APIs Start the Hackers' Engines

By Tara Seals February 26, 2016

Completely unauthenticated APIs for the mobile app that goes with the Nissan LEAF have opened the door for hackers to remotely control the world’s best-selling electric vehicle.

In a stunning oversight in connected car security, security researchers Troy Hunt and Scott Helme found that an attacker with access to a vehicle’s VIN number (something that’s visible in the windshield of every Nissan LEAF) can control the climate control and other features of someone else’s car, literally from the other end of the earth. They can also check the battery status, and access a person’s driving history—including locations and times, which is of course a potential privacy nightmare.

All it takes is issuing GET requests to the NissanConnect EV app, a simple enough process for even a novice hacker.

“Anyone could potentially enumerate VINs and control the physical function of any vehicles that responded,” Hunt explained, in a blog. “That’s was a very serious issue. I reported it to Nissan the day after we discovered this, yet as of today – 32 days later – the issue remains unresolved.”

Hunt went on to say that the cat’s effectively out of the bag: Three separate parties contacted him, having found the issue independently, and the issue is being discussed openly in public forums.

The ramifications are clear. “Fortunately, the Nissan LEAF doesn't have features like remote unlock or remote start, like some vehicles from other manufacturers do, because that would be a disaster with what's been uncovered,” said Helme. “Still, a malicious actor could cause a great deal of problems for owners of the Nissan Leaf. Being able to remotely turn on the AC for a car might not seem like a problem, but this could put a significant drain on the battery over a period of time as the attacker can keep activating it.”

Which is the equivalent of emptying a gas tank, leaving someone stranded.

But perhaps the main concern is the fact that the telematics system in the car is leaking historic driving data.

“That's the details of every trip I've ever made in the car including when I made it, how far I drove and even how efficiently I drove,” Helme said. “This could easily be used to build up a profile of my driving habits, considering it goes back almost two years, and predict when I will be away from home. This kind of data should be collected and secured with the utmost respect for my privacy.”

Despite being notified and acknowledging the flaw to Hunt, Nissan has yet to publically comment on the issue or to issue a patch. In the meantime, car owners can disable the telematics part of the issue by logging out of the CarWings telematics service from their browser.

This is of course not the first time a connected car has been worryingly hacked. Last fall, U.S. auto giant Chrysler recalled 1.4 million cars (the 2015 model of the Dodge Ram pickup, Dodge’s Challenger and Viper, and the Jeep Cherokee and Grand Cherokee SUVs) after researchers demonstrated that the connected Jeep Cherokee could be hacked via the car’s internal 4G connection.

Security researchers Charlie Miller and Chris Valasek demonstrated – with an unsuspecting journalist driving 70mph on the freeway – that they could take over a car’s air-conditioning, in-dash system and windshield wipers remotely. Miller and Valasek also said that they could take control of the vehicle’s brakes and steering.

The issue demonstrates how important it is to secure APIs, the language of the connected device revolution. This is one of the topics of an upcoming conference on the interconnected ecosystem of technology solutions, services, apps and platforms that are powering more and more of our work and personal lives—All About the API will take place July 18-21 in Las Vegas.




Edited by Stefania Viscusi

Contributing Writer

SHARE THIS ARTICLE
Related Articles

Why Blockchain Could Be a Gamechanger

By: Paula Bernier    1/22/2018

Blockchain has become closely associated with the controversial topic of cryptocurrency. And that's fine because blockchain is an enabling technology …

Read More

Consumer Privacy in the Digital Era: Three Trends to Watch

By: Special Guest    1/18/2018

Digital advertising has exploded in recent years, with the latest eMarketer data forecasting $83 billion in revenue this year and continued growth on …

Read More

CES 2018: Terabit Fiber - Closer Than We Think

By: Doug Mohney    1/17/2018

One of the biggest challenges for 5G and last mile 10 Gig deployments is not raw data speeds, but middle mile and core networks. The wireless industry…

Read More

10 Benefits of Drone-Based Asset Inspections

By: Frank Segarra    1/15/2018

Although a new and emerging technology, (which is still evolving), in early 2018, most companies are not aware of the possible benefits they can achie…

Read More

VR Could Change Entertainment Forever

By: Special Guest    1/11/2018

VR could change everything from how we play video games to how we interact with our friends and family. VR has the power to change how we consume all …

Read More