Nissan LEAF Open APIs Start the Hackers' Engines

By

Completely unauthenticated APIs for the mobile app that goes with the Nissan LEAF have opened the door for hackers to remotely control the world’s best-selling electric vehicle.

In a stunning oversight in connected car security, security researchers Troy Hunt and Scott Helme found that an attacker with access to a vehicle’s VIN number (something that’s visible in the windshield of every Nissan LEAF) can control the climate control and other features of someone else’s car, literally from the other end of the earth. They can also check the battery status, and access a person’s driving history—including locations and times, which is of course a potential privacy nightmare.

All it takes is issuing GET requests to the NissanConnect EV app, a simple enough process for even a novice hacker.

“Anyone could potentially enumerate VINs and control the physical function of any vehicles that responded,” Hunt explained, in a blog. “That’s was a very serious issue. I reported it to Nissan the day after we discovered this, yet as of today – 32 days later – the issue remains unresolved.”

Hunt went on to say that the cat’s effectively out of the bag: Three separate parties contacted him, having found the issue independently, and the issue is being discussed openly in public forums.

The ramifications are clear. “Fortunately, the Nissan LEAF doesn't have features like remote unlock or remote start, like some vehicles from other manufacturers do, because that would be a disaster with what's been uncovered,” said Helme. “Still, a malicious actor could cause a great deal of problems for owners of the Nissan Leaf. Being able to remotely turn on the AC for a car might not seem like a problem, but this could put a significant drain on the battery over a period of time as the attacker can keep activating it.”

Which is the equivalent of emptying a gas tank, leaving someone stranded.

But perhaps the main concern is the fact that the telematics system in the car is leaking historic driving data.

“That's the details of every trip I've ever made in the car including when I made it, how far I drove and even how efficiently I drove,” Helme said. “This could easily be used to build up a profile of my driving habits, considering it goes back almost two years, and predict when I will be away from home. This kind of data should be collected and secured with the utmost respect for my privacy.”

Despite being notified and acknowledging the flaw to Hunt, Nissan has yet to publically comment on the issue or to issue a patch. In the meantime, car owners can disable the telematics part of the issue by logging out of the CarWings telematics service from their browser.

This is of course not the first time a connected car has been worryingly hacked. Last fall, U.S. auto giant Chrysler recalled 1.4 million cars (the 2015 model of the Dodge Ram pickup, Dodge’s Challenger and Viper, and the Jeep Cherokee and Grand Cherokee SUVs) after researchers demonstrated that the connected Jeep Cherokee could be hacked via the car’s internal 4G connection.

Security researchers Charlie Miller and Chris Valasek demonstrated – with an unsuspecting journalist driving 70mph on the freeway – that they could take over a car’s air-conditioning, in-dash system and windshield wipers remotely. Miller and Valasek also said that they could take control of the vehicle’s brakes and steering.

The issue demonstrates how important it is to secure APIs, the language of the connected device revolution. This is one of the topics of an upcoming conference on the interconnected ecosystem of technology solutions, services, apps and platforms that are powering more and more of our work and personal lives—All About the API will take place July 18-21 in Las Vegas.




Edited by Stefania Viscusi

Contributing Writer

SHARE THIS ARTICLE
Related Articles

Coding and Invention Made Fun

By: Special Guest    10/12/2018

SAM is a series of kits that integrates hardware and software with the Internet. Combining wireless building blocks composed of sensors and actors con…

Read More

Facebook Marketplace Now Leverages AI

By: Paula Bernier    10/3/2018

Artificial intelligence is changing the way businesses interact with customers. Facebook's announcement this week is just another example of how this …

Read More

Oct. 17 Webinar to Address Apache Spark Benefits, Tools

By: Paula Bernier    10/2/2018

In the upcoming webinar "Apache Spark: The New Enterprise Backbone for ETL, Batch and Real-time Streaming," industry experts will offer details on clo…

Read More

It's Black and White: Cybercriminals Are Spending 10x More Than Enterprises to Control, Disrupt and Steal

By: Cynthia S. Artin    9/26/2018

In a stunning new report by Carbon Black, "Hacking, Escalating Attacks and The Role of Threat Hunting" the company revealed that 92% of UK companies s…

Read More

6 Challenges of 5G, and the 9 Pillars of Assurance Strategy

By: Special Guest    9/17/2018

To make 5G possible, everything will change. The 5G network will involve new antennas and chipsets, new architectures, new KPIs, new vendors, cloud di…

Read More