Nissan Forgets Security Exists, Opens Leaf Owners To Remote Attack

from the Internet-of-unsecured-things dept

You can add Nissan to the laundry list of companies that aren't making security a priority in the Internet of Things era. A hacker this week revealed that vulnerabilities in the Nissan Leaf companion app allows an attacker to not only track a driver's driving behavior, but to physically control the Leaf's heating and cooling systems. Not quite as severe some other car vulnerabilities that open vehicles to total control, the vulnerability still allows a hacker to cause some notable trouble by running down the Leaf's batteries, potentially leaving an owner stranded.

Australian security researcher Troy Hunt stated he gave Nissan a month to fix the vulnerability before publicizing it, acting in part because he was already seeing online forum posters providing a web address used to spoof the app. Basically, Hunt notes that people simply need to write down a Leaf owner's VIN number, and they'd be able to use a web browser to fool Nissan's servers into controlling the Leaf's systems remotely. Like so many IOT flaws, Hunt notes that security wasn't just weak, it was non-existent. As in, no attempt at authentication at all:
"The right thing to do at the moment would be for Nissan to turn it off altogether," Mr Hunt told the BBC. "They are going to have to let customers know. And to be honest, a fix would not be hard to do. "It's not that they have done authorisation [on the app] badly, they just haven't done it at all, which is bizarre."
Again, that's a major automaker not just imposing bad security, but not even bothering with security period. Hackers can use the trick to collect Leaf owners' names, as well as the duration, time and distance of recent trips. It's also relatively simple to write a script that would move through potential VIN numbers to find cars to control -- and people's days to ruin:
"The initial characters of a Vin refer to the brand, make of car, and country of manufacture/location of the firm's headquarters. So, Mr Hunt said, it would only be the final numbers that varied between different Nissan Leafs based in the same region. Normally it's only the last five digits that differ," he explained. "There's nothing to stop someone from scripting a process that goes through every 100,000 possible cars and tries and turn the air conditioning on in every one. "They would then get a response that would confirm which vehicles exist."
Fortunately for Leaf owners, this is a fix that doesn't require waiting for Nissan, since simply unregistering the CarWings companion app prevents the attack. Nissan has yet to comment, likely because the company, like most automakers, is moving glacially to understand and replicate the vulnerability. GM, you'll recall, took five years to fix a flaw that allowed total remote control of some of its vehicles, a glacial cadence that's just not going to cut it in the IOT age.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: authentication, iot, nissan leaf, security
Companies: nissan


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 25 Feb 2016 @ 2:15pm

    Not only have they forgotten security, they have an inbuilt insecurity. Nissan gets hacked, and the hacker pwns all Nissan cars.

    link to this | view in chronology ]

    • icon
      nasch (profile), 26 Feb 2016 @ 8:48am

      Re:

      Nissan gets hacked, and the hacker pwns all Nissan cars.

      You're either not reading carefully or not writing carefully, because that is not what this article says.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Feb 2016 @ 2:16pm

    If the cars software can be updated from the internet- which it almost certainly can be (to lazy to look up)... This isn't even the tip of the iceburg of what the cars true vulnerability is.

    Cars' critical systems should not be connected to the internet, period. It's unbelievably stupid and negligent the way allot of cars are being designed these days.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Feb 2016 @ 8:57am

      Re:

      as awful as this is, it DOES NOT seem to involve critical systems. the vary worst they can do is turn on your A/C, running down your battery. Critical systems would mean, changing the cruse, activating the breaks, turning the wheel, changing the throttle. Thankfully, Nissan was not stupid enough to hook any critical systems to the network... YET.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 27 Feb 2016 @ 2:17am

        Re: Re: Firewall fail

        Just how strong is the firewall between the critical/non critical sides as they do have to communicate with each other at some point in the start up/power down cycle?
        Can't keep the AC running after the car is turned off so some comm is in place.

        link to this | view in chronology ]

        • icon
          nasch (profile), 27 Feb 2016 @ 7:08am

          Re: Re: Re: Firewall fail

          Can't keep the AC running after the car is turned off so some comm is in place.

          I don't know one way or the other but I don't think that proves the systems are connected. The main system could just cut the power to the A/C pump when the engine is turned off rather than sending a signal to the climate control/nav/entertainment system to do it.

          link to this | view in chronology ]

      • icon
        Bergman (profile), 27 Feb 2016 @ 3:16pm

        Re: Re:

        Define critical. If it's hot enough out to cause heat exhaustion, turning off the air conditioning and turning on the heater could (at least in theory) kill someone.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Feb 2016 @ 2:38pm

    It seems that people want to make fun of me for not accepting IoT into my private life. Things that surface like this are coming up more and more frequently. If security on a car, which is of far more value than say a toaster or refrigerator, isn't considered, pray tell why I would want a lower valued item with the high likelihood of having the same amount of security would be acceptable?

    The last thing in the world I want is to have a toaster some bored young teen decided would be nice to burn up and take a house with it. It's bad enough that all these corporations want to know everything about you through these IoTs but just like the commercial and ad groups they want all the problems to be on your end and just dumbly accept what they are dishing out to satisfy their insatiable need to collect data, putting all the risk on you.

    This is exactly the same mentality and I refuse to accept it as business as usual.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Feb 2016 @ 2:51pm

      Re:

      I agree. I recently updated my furnace and A/C and it came with a "free" web enabled thermostat. I had to get clearance from the the company to "downgrade" without it costing me money (which the did) as I don't need the headache of it.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Feb 2016 @ 2:44pm

    ... to not only track a driver's driving behavior

    Which means that it's now possible to stalk every single person driving every single one of these cars (if the app is active).

    Which in turn means that it's possible not only to strand them (by exhausting the vehicle's power) but to choose WHEN and WHERE to strand them.

    link to this | view in chronology ]

  • identicon
    Anonymous Anonymous Coward, 25 Feb 2016 @ 3:11pm

    Looking on down the road...

    If they cannot get these things right how are they going to secure my self drive car so that I and only I can call it to come and pick me up from whatever parking space if found on its own?

    In the meantime the IoT can stay on the Internet and out of my things.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Feb 2016 @ 4:34pm

    It's VIN!

    link to this | view in chronology ]

  • identicon
    Tim, 25 Feb 2016 @ 5:45pm

    Nissan’s connected car app offline after shocking vulnerability revealed
    http://arstechnica.com/cars/2016/02/nissans-connected-car-app-offline-after-shocking-vulnera bility-revealed/

    link to this | view in chronology ]

  • icon
    Cody Jackson (profile), 26 Feb 2016 @ 4:33am

    Hardware makers don't know software

    I think the biggest problem with IoT manufacturers is that, primarily, they are hardware makers, not software. They are moving into a field they have no real experience in, and it's showing.

    They may have some software people to make the firmware and low-level software that makes the hardware work, but they don't know anything about "IT" services. At a minimum, the senior people don't know about it, so security is an after-thought. It's not needed for the hardware, so no one thinks about it when it comes to Internet connections.

    link to this | view in chronology ]

    • icon
      John Fenderson (profile), 26 Feb 2016 @ 8:21am

      Re: Hardware makers don't know software

      I think this misses the mark a bit for two reasons. First, the line between "hardware" and "software" has been so fuzzy for so long that pretty much all hardware engineers are also software engineers -- they're just specialist software engineers.

      Second, the general population of software engineers doesn't do much better when it comes to software security. Software security all by itself is a specialty.

      What needs to be done is something that would help resolve this problem altogether: the establishment of best practices that engineers are expected to follow to minimize security problems.

      link to this | view in chronology ]

  • icon
    Ninja (profile), 26 Feb 2016 @ 4:56am

    Told you, we will find ourselves wishing we had 'dumb' things if this IOT thing moves forward the way it is now.

    link to this | view in chronology ]

  • icon
    Mason Wheeler (profile), 26 Feb 2016 @ 7:31am

    Nissan has yet to comment, likely because the company, like most automakers, is moving glacially to understand and replicate the vulnerability. GM, you'll recall, took five years to fix a flaw that allowed total remote control of some of its vehicles, a glacial cadence that's just not going to cut it in the IOT age.

    Meanwhile, when they found a way to hack into a Tesla a few months back--which required physical, not remote, access--Tesla pushed a software patch out to all affected cars within days.

    link to this | view in chronology ]

  • icon
    nasch (profile), 26 Feb 2016 @ 8:52am

    VIN

    Normally it's only the last five digits that differ," he explained.

    So what happens with the 100,001st Leaf? Reused VIN? I have heard Honda and maybe some other manufacturers reuse VINs - I don't get why that's even allowed.

    GM, you'll recall, took five years to fix a flaw that allowed total remote control of some of its vehicles, a glacial cadence that's just not going to cut it in the IOT age.

    It is if people keep buying the products.

    link to this | view in chronology ]

    • icon
      Mason Wheeler (profile), 26 Feb 2016 @ 10:15am

      Re: VIN

      So what happens with the 100,001st Leaf? Reused VIN?

      According to Wikipedia, it's actually the last 8 digits that differ. #10 identifies the model year, #11 identifies the plant at which it was manufactured, and #12-17 are a serial number for the car. Therefore, if one plant manufactured more than 1 million Leafs (Leaves?) in one year, it would break this scheme, but that's not likely.

      link to this | view in chronology ]

      • icon
        nasch (profile), 26 Feb 2016 @ 10:59am

        Re: Re: VIN

        Therefore, if one plant manufactured more than 1 million Leafs (Leaves?) in one year, it would break this scheme, but that's not likely.

        Oh, good. I'm not sure anything has ever sold over a million in one year, and if so it's been a very long time. Plus if they ever got close to that they would probably have multiple plants making them.

        link to this | view in chronology ]

      • identicon
        Anonymous Coward, 29 Feb 2016 @ 11:25am

        Re: Re: VIN

        I can tell you that the last 8 generally are unique but not always. Chrysler used to duplicate the last at times.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Feb 2016 @ 9:20am

    Leaf Blower !

    (Sorry, couldn't resist.)

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Feb 2016 @ 9:34am

    Leaf Blower !

    (Sorry, couldn't resist.)

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Feb 2016 @ 11:14am

    Re: does not involve critical systems

    I did some research into this subject last year when car shopping. The ONLY manufacturer I found that WASN'T doing everything on a single bus (ie crit systems possibly accessible from internet) was Audi. Audi has a separate network for critical stuff.

    Admittedly though- Nissan wasn't even on my radar, so I never checked them.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 Feb 2016 @ 8:33pm

      Re: Re: does not involve critical systems

      Audi has a separate network for critical stuff.

      Like emissions checking?

      link to this | view in chronology ]

  • icon
    John85851 (profile), 29 Feb 2016 @ 1:04pm

    Critical systems vulernable?

    Some people seem to think that's not too bad if the critical systems aren't vulernable.
    What about the other problems?
    - The hackers can get the owner's personal information, including home address.
    - The hackers can watch and see when the owners leave.
    - Then the hackers and their team can rob the house, while one of the hacker keeps an eye on the tracker to know when the car is heading home.
    - Then if the car getting too close, fire up the controls to drain the battery and keep the owner stranded.

    But at least the hackers can't do anything to the car.

    link to this | view in chronology ]

    • icon
      nasch (profile), 29 Feb 2016 @ 1:19pm

      Re: Critical systems vulernable?

      Some people seem to think that's not too bad if the critical systems aren't vulernable.

      I think they're saying it's not as bad. Not that it isn't bad or that it's acceptable.

      link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.