Automaker Nissan deactivated a remote access feature that let owners of its Leaf electric car remotely adjust climate controls and check battery status via a smartphone app. The move comes after a security researcher posted his finding regarding a simple hack that allowed anyone with the right Leaf automobile VIN number to access the climate controls and GPS logs of the targeted automobile.
Security researcher Troy Hunt reported the vulnerability on Wednesday. He blamed unprotected APIs that could be accessed by anyone using the NissanConnected host domain URL along with the last five digits of the targeted car’s vehicle identification number (VIN).
Hunt posted a video demonstration where he was able to remotely retrieve battery status, GPS log data and control the AC and seat warmers of a car without using the NissanConnect EV app or NissanConnect website. In the video Hunt also demonstrates how it’s possible to access vehicle’s trip logs which revealed GPS logs and the dates, times and distances the car traveled.
Nissan spokesperson Steve Yaeger told Threatpost that it has taken the servers for the mobile app offline. Yaeger said Nissan Leaf owners can still access the remote functions via the Nissan Owner Portal website, which is not at risk. The Nissan models impacted by the vulnerability include the Leaf car and eNV200 electric van.
“Exposure of GPS data and trip logs definitely raise privacy concerns here,” said Cris Thomas, strategist with security firm Tenable Network Security. To a lesser extent, Thomas said, the vulnerability could allow someone to maliciously run down a user’s battery by blasting the car’s AC and leaving them stranded.
Yaeger said Nissan has not had any reported incidents where Leaf or eNV200 vehicles were targeted by a hacker using this vulnerability.
Nissan says about 200,000 Leafs and eNV200 vehicles are impacted by the vulnerability. Nissan reassured its customers, after disabling the app that gave car owners remote access to their cars, they were safe. In a statement Nissan wrote, “Our 200,000 Leaf drivers across the world can continue to use their cars safely and with total confidence. The only functions that are affected are those controlled via the mobile phone – all of which are still available to be used manually, as with any standard vehicle.”
Yaeger told Threatpost that Nissan will fix the problem via an updated app for smartphones, but declined to say when the app would be released.
Tenable’s Thomas points out the extent of the Nissan Leaf vulnerability may never be known given the fact Hunt quickly alerted the automaker to the problem. “I’m surprised a relatively simple vulnerability managed to sneak past Nissan so far into production,” Thomas said.
Hunt also acknowledged the scope of the vulnerability may have been bigger writing, “I suspect that there are multiple other avenues where additional data about the vehicle and the owner can be retrieved once the VIN is known and that opens the door to a raft of other possible privacy risks.”
Hunt noted in his report, other researchers had also identified problems with Nissan’s NissanConnect EV smartphone app. One researcher was able to access the Leaf’s computer via their phone anonymously because the system failed to authenticate sessions. Hunt quotes a researcher in his report, “This API thing is just nuts. It’s not even like they just missed (authentication) or didn’t check (it), it’s actually not implemented. It was built, intentionally, without security.”
Over the past year automakers Chrysler, General Motors, Toyota and Ford have each reported car hacking vulnerabilities to varying degrees. The most alarming example of a car hack came from security researchers Charlie Miller and Chris Valasek who demonstrated full remote access to a Jeep Cherokee and their ability to disable the car’s brakes and transmission.
“Car makers have to realize the dashboard computer is just as vulnerable to attacks as the PC sitting on their desk,” Thomas said.
While the Nissan hack lacked the sophistication and potential harm to consumers, Thomas said, any vulnerability in a car has the potential to cause harm. It’s one thing to gain control over someone’s refrigerator, it’s an entirely different matter when the device is a two-ton vehicle doing 70 MPH down the highway, he said.