Completely unauthenticated APIs for the mobile app that goes with the Nissan LEAF have opened the door for hackers to remotely control the world’s best-selling electric vehicle.
In a stunning oversight in connected car security, security researchers Troy Hunt and Scott Helme found that an attacker with access to a vehicle’s VIN number (something that’s visible in the windshield of every Nissan LEAF) can control the climate control and other features of someone else’s car, literally from the other end of the earth. They can also check the battery status, and access a person’s driving history—including locations and times, which is of course a potential privacy nightmare.
All it takes is issuing GET requests to the NissanConnect EV app, a simple enough process for even a novice hacker.
“Anyone could potentially enumerate VINs and control the physical function of any vehicles that responded,” Hunt explained, in a blog. “That’s was a very serious issue. I reported it to Nissan the day after we discovered this, yet as of today – 32 days later – the issue remains unresolved.”
Hunt went on to say that the cat’s effectively out of the bag: Three separate parties contacted him, having found the issue independently, and the issue is being discussed openly in public forums.
The ramifications are clear. “Fortunately, the Nissan LEAF doesn't have features like remote unlock or remote start, like some vehicles from other manufacturers do, because that would be a disaster with what's been uncovered,” said Helme. “Still, a malicious actor could cause a great deal of problems for owners of the Nissan Leaf. Being able to remotely turn on the AC for a car might not seem like a problem, but this could put a significant drain on the battery over a period of time as the attacker can keep activating it.”
Which is the equivalent of emptying a gas tank, leaving someone stranded.
But perhaps the main concern is the fact that the telematics system in the car is leaking historic driving data.
“That's the details of every trip I've ever made in the car including when I made it, how far I drove and even how efficiently I drove,” Helme said. “This could easily be used to build up a profile of my driving habits, considering it goes back almost two years, and predict when I will be away from home. This kind of data should be collected and secured with the utmost respect for my privacy.”
Despite being notified and acknowledging the flaw to Hunt, Nissan has yet to publically comment on the issue or to issue a patch. In the meantime, car owners can disable the telematics part of the issue by logging out of the CarWings telematics service from their browser.
This is of course not the first time a connected car has been worryingly hacked. Last fall, U.S. auto giant Chrysler recalled 1.4 million cars (the 2015 model of the Dodge Ram pickup, Dodge’s Challenger and Viper, and the Jeep Cherokee and Grand Cherokee SUVs) after researchers demonstrated that the connected Jeep Cherokee could be hacked via the car’s internal 4G connection.
Security researchers Charlie Miller and Chris Valasek demonstrated – with an unsuspecting journalist driving 70mph on the freeway – that they could take over a car’s air-conditioning, in-dash system and windshield wipers remotely. Miller and Valasek also said that they could take control of the vehicle’s brakes and steering.
The issue demonstrates how important it is to secure APIs, the language of the connected device revolution. This is one of the topics of an upcoming conference on the interconnected ecosystem of technology solutions, services, apps and platforms that are powering more and more of our work and personal lives—All About the API will take place July 18-21 in Las Vegas.