Last month, when researcher Troy Hunt argued the dangers of insecure APIs at a security workshop, little did he know hours later he would discover an API vulnerability that allowed remote access to onboard computers of 200,000 Nissan Leaf and eNV200 electric automobiles.
“After talking about the way applications can sometimes get APIs wrong, a workshop attendee goes back to his hotel room and 15 minutes later calls to say he has found something fishy with the Nissan Leaf smartphone app,” Hunt said in an interview with Threatpost, speaking about the discovery.
The vulnerability, it turned out, allowed anyone with the right Nissan Leaf and eNV200 vehicle identification number (VIN) to remotely access the car’s climate controls, battery status and GPS logs that included the dates, times and distances the car traveled.
This was not exactly the type of vulnerability discovered by Charlie Miller and Chris Valasek who demonstrated full remote access to a Jeep Cherokee in 2015. But, Hunt says, the Nissan vulnerability stood out because the hack was so easy to execute allowing any smartphone to remotely control any of the 200,000 impacted Nissan cars – no matter where they were located. In fact, Hunt made a video of himself in Australia hacking a friend’s car based in the UK to prove the point.
On Tuesday, Nissan told Threatpost it took the servers for the NissanConnect EV app offline. A spokesperson said is a new secure app is on its way, but wouldn’t say when it would be available.
While the Nissan vulnerability may be limited in scope, Hunt said, an attacker could have still cause headaches for Leaf and eNV200 car owners. “The first thing when it comes to determining risk is what you could control? The second thing to ask is, what type of data could someone retrieve?”
Hunt said most drivers expect a level of privacy when it comes to GPS tracking data that included time and distance traveled. But, beyond the clear privacy violation the Nissan vulnerability posed, there were ways the hack could cause real damage to Nissan car owners. “There are a lot of weird antagonistic stuff that goes on the internet,” Hunt said. “There is no doubt if a hacker can figure out how to exploit this vulnerability they would.”
In one scenario, an attacker could remotely drain a Leaf’s battery by running heat or cooling systems stranding the driver. An attacker might also write a script that turns the AC off and on every 30 seconds until something fails. “Now imagine a hacker has the VIN numbers of thousands of cars and runs that script. There is the potential for some costly damages,” he said.
Hunt said VIN numbers are extremely easy to find and can reveal information about where the car was last serviced. Try searching automobile retailer Cars.com for Nissan Leafs and hundreds of cars are listed with their VIN numbers easily accessible, he said. With the last five digits of a Nissan Leaf and eNV200 VIN number, Hunt’s vulnerability gave you remote access to that car.
Here’s how the hack worked.
Hunt first downloaded and registered the Nissan’s NissanConnect EV app on his phone. Next, he watched to see what backend server the app was communicating with. As he was doing this he discovered that the vehicle the app was designed to control was identified by the last five numbers of the car’s VIN number. That VIN data was located in URL requests the app made to Nissan. Swap out the VIN number and control a different car, Hunt discovered.
But what really startled Hunt was the fact that the APIs on the server that the NissanConnect EV app connected to were not authenticating the user. That allowed anyone who had credentials to use the Nissan app to anonymously send requests for a specific Leaf to turn on its climate control. Another URL request allowed you to view battery life. And another returned GPS data.
“When you make a request to the car, you are never asked if you are authorized to access this resource,” Hunt said. He politely described Nissan’s lack of safeguards as “a unique design choice.” Others in the security community called it a serious security flaw. In fact, Nissan Leaf owners were starting to grow concerned, Hunt said. He noticed message boards where car owners were grousing over how poorly designed the NissanConnect EV app was and looking for workarounds.
Hunt said, Leaf owners were trying to figure out how to manipulate their vehicles because the app was unreliable and cumbersome. “A number of frustrated app users figured out all they needed to do was feed a URL into a browser to turn on their car’s heat,” Hunt said.
When Hunt originally took his findings to Nissan, he said they were all ears. Then, after the initial private disclosure, Hunt said, Nissan gave him the cold shoulder and still didn’t fix the problem. Weeks later, when Hunt pointed out customers were slowly figuring out the vulnerability on their own, he told Nissan he was going to post his research on his website.
“Nissan was not considering this situation urgent,” Hunt said. “I finally told Nissan I was publishing my findings before the vulnerability became more widely known and abused.” It was only then, on Wednesday, that Nissan shut down the app that was creating the problem.
“At the end of the day this is a web vulnerability,” Hunt said. “It just so happens the vulnerability in this case controls a car. Nissan just didn’t think anyone would ever reverse engineer its system,” he said. Hunt theorizes that Nissan just didn’t factor security into the design of the system.
“Whether it’s car manufacturer or toy manufacturer, security has to be built into the design and should never be an afterthought,” Hunt said.