Nissan Forgets Security Exists, Opens Leaf Owners To Remote Attack
from the Internet-of-unsecured-things dept
You can add Nissan to the laundry list of companies that aren't making security a priority in the Internet of Things era. A hacker this week revealed that vulnerabilities in the Nissan Leaf companion app allows an attacker to not only track a driver's driving behavior, but to physically control the Leaf's heating and cooling systems. Not quite as severe some other car vulnerabilities that open vehicles to total control, the vulnerability still allows a hacker to cause some notable trouble by running down the Leaf's batteries, potentially leaving an owner stranded.Australian security researcher Troy Hunt stated he gave Nissan a month to fix the vulnerability before publicizing it, acting in part because he was already seeing online forum posters providing a web address used to spoof the app. Basically, Hunt notes that people simply need to write down a Leaf owner's VIN number, and they'd be able to use a web browser to fool Nissan's servers into controlling the Leaf's systems remotely. Like so many IOT flaws, Hunt notes that security wasn't just weak, it was non-existent. As in, no attempt at authentication at all:
"The right thing to do at the moment would be for Nissan to turn it off altogether," Mr Hunt told the BBC. "They are going to have to let customers know. And to be honest, a fix would not be hard to do. "It's not that they have done authorisation [on the app] badly, they just haven't done it at all, which is bizarre."Again, that's a major automaker not just imposing bad security, but not even bothering with security period. Hackers can use the trick to collect Leaf owners' names, as well as the duration, time and distance of recent trips. It's also relatively simple to write a script that would move through potential VIN numbers to find cars to control -- and people's days to ruin:
"The initial characters of a Vin refer to the brand, make of car, and country of manufacture/location of the firm's headquarters. So, Mr Hunt said, it would only be the final numbers that varied between different Nissan Leafs based in the same region. Normally it's only the last five digits that differ," he explained. "There's nothing to stop someone from scripting a process that goes through every 100,000 possible cars and tries and turn the air conditioning on in every one. "They would then get a response that would confirm which vehicles exist."Fortunately for Leaf owners, this is a fix that doesn't require waiting for Nissan, since simply unregistering the CarWings companion app prevents the attack. Nissan has yet to comment, likely because the company, like most automakers, is moving glacially to understand and replicate the vulnerability. GM, you'll recall, took five years to fix a flaw that allowed total remote control of some of its vehicles, a glacial cadence that's just not going to cut it in the IOT age.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: authentication, iot, nissan leaf, security
Companies: nissan
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
You're either not reading carefully or not writing carefully, because that is not what this article says.
[ link to this | view in chronology ]
Cars' critical systems should not be connected to the internet, period. It's unbelievably stupid and negligent the way allot of cars are being designed these days.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re: Firewall fail
Can't keep the AC running after the car is turned off so some comm is in place.
[ link to this | view in chronology ]
Re: Re: Re: Firewall fail
I don't know one way or the other but I don't think that proves the systems are connected. The main system could just cut the power to the A/C pump when the engine is turned off rather than sending a signal to the climate control/nav/entertainment system to do it.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
The last thing in the world I want is to have a toaster some bored young teen decided would be nice to burn up and take a house with it. It's bad enough that all these corporations want to know everything about you through these IoTs but just like the commercial and ad groups they want all the problems to be on your end and just dumbly accept what they are dishing out to satisfy their insatiable need to collect data, putting all the risk on you.
This is exactly the same mentality and I refuse to accept it as business as usual.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Which means that it's now possible to stalk every single person driving every single one of these cars (if the app is active).
Which in turn means that it's possible not only to strand them (by exhausting the vehicle's power) but to choose WHEN and WHERE to strand them.
[ link to this | view in chronology ]
Looking on down the road...
In the meantime the IoT can stay on the Internet and out of my things.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
http://arstechnica.com/cars/2016/02/nissans-connected-car-app-offline-after-shocking-vulnera bility-revealed/
[ link to this | view in chronology ]
Hardware makers don't know software
They may have some software people to make the firmware and low-level software that makes the hardware work, but they don't know anything about "IT" services. At a minimum, the senior people don't know about it, so security is an after-thought. It's not needed for the hardware, so no one thinks about it when it comes to Internet connections.
[ link to this | view in chronology ]
Re: Hardware makers don't know software
Second, the general population of software engineers doesn't do much better when it comes to software security. Software security all by itself is a specialty.
What needs to be done is something that would help resolve this problem altogether: the establishment of best practices that engineers are expected to follow to minimize security problems.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Meanwhile, when they found a way to hack into a Tesla a few months back--which required physical, not remote, access--Tesla pushed a software patch out to all affected cars within days.
[ link to this | view in chronology ]
VIN
So what happens with the 100,001st Leaf? Reused VIN? I have heard Honda and maybe some other manufacturers reuse VINs - I don't get why that's even allowed.
GM, you'll recall, took five years to fix a flaw that allowed total remote control of some of its vehicles, a glacial cadence that's just not going to cut it in the IOT age.
It is if people keep buying the products.
[ link to this | view in chronology ]
Re: VIN
According to Wikipedia, it's actually the last 8 digits that differ. #10 identifies the model year, #11 identifies the plant at which it was manufactured, and #12-17 are a serial number for the car. Therefore, if one plant manufactured more than 1 million Leafs (Leaves?) in one year, it would break this scheme, but that's not likely.
[ link to this | view in chronology ]
Re: Re: VIN
Oh, good. I'm not sure anything has ever sold over a million in one year, and if so it's been a very long time. Plus if they ever got close to that they would probably have multiple plants making them.
[ link to this | view in chronology ]
Re: Re: VIN
[ link to this | view in chronology ]
Leaf Blower !
[ link to this | view in chronology ]
Leaf Blower !
[ link to this | view in chronology ]
Re: does not involve critical systems
Admittedly though- Nissan wasn't even on my radar, so I never checked them.
[ link to this | view in chronology ]
Re: Re: does not involve critical systems
Like emissions checking?
[ link to this | view in chronology ]
Critical systems vulernable?
What about the other problems?
- The hackers can get the owner's personal information, including home address.
- The hackers can watch and see when the owners leave.
- Then the hackers and their team can rob the house, while one of the hacker keeps an eye on the tracker to know when the car is heading home.
- Then if the car getting too close, fire up the controls to drain the battery and keep the owner stranded.
But at least the hackers can't do anything to the car.
[ link to this | view in chronology ]
Re: Critical systems vulernable?
I think they're saying it's not as bad. Not that it isn't bad or that it's acceptable.
[ link to this | view in chronology ]