Leaf chronic security risk with NissanConnect EV app.
Discussion
Bonkers. Saw this on speakev while digging around for info.
http://www.troyhunt.com/2016/02/controlling-vehicl...
TL;DR
The app is completely unsecure. Someone can paste a URL into a browser with a valid VIN and remotely turn on/off AC running the battery down, as well as disclosing your driving history (times, efficiency, state of charge, etc).
As soon as this gets out to the wider hacker community I suspect all manner of people will try f
king about with random VINs just for the hell of it.
To solve - disable NissanConnect and don't use it. No response from Nissan at this time despite knowing about it for over a month!
http://www.troyhunt.com/2016/02/controlling-vehicl...
TL;DR
The app is completely unsecure. Someone can paste a URL into a browser with a valid VIN and remotely turn on/off AC running the battery down, as well as disclosing your driving history (times, efficiency, state of charge, etc).
As soon as this gets out to the wider hacker community I suspect all manner of people will try f
king about with random VINs just for the hell of it.To solve - disable NissanConnect and don't use it. No response from Nissan at this time despite knowing about it for over a month!
To be fair he did get a response from them and they claimed they were working on it, but as he mentioned it was already known about and they hadn't proposed anything within a month so it was correct to publish.
The whole thing is pretty staggering, I cannot believe how such a large company would run something with such a huge hole. It's not even a bug or flaw, it's a complete lack of security on the API. I could understand if, for example, they sent authentication for the request (using the CW login) but it turned out you could use any VIN (that would be simple for them to fix in their back-end), but the service just doesn't send any credentials. Insane.
The whole thing is pretty staggering, I cannot believe how such a large company would run something with such a huge hole. It's not even a bug or flaw, it's a complete lack of security on the API. I could understand if, for example, they sent authentication for the request (using the CW login) but it turned out you could use any VIN (that would be simple for them to fix in their back-end), but the service just doesn't send any credentials. Insane.
hornetrider said:
Someone can paste a URL into a browser with a valid VIN and remotely turn on/off AC running the battery down, as well as disclosing your driving history (times, efficiency, state of charge, etc).
As soon as this gets out to the wider hacker community I suspect all manner of people will try fking about with random VINs just for the hell of it.
http://www.pistonheads.com/gassing/topic.asp?h=0&f=23&t=1576475As soon as this gets out to the wider hacker community I suspect all manner of people will try f
king about with random VINs just for the hell of it.<google image search, Nissan Leaf UK>
Hmm. This could be fun.
I'd imagine a lot of them are programmed in similar ways with the same stupid mistakes. With every new platform the same old mistakes that were in older software resurface again.
It only takes basic effort eg to link the VIN to the MAC of the device used and have some kind of restriction on which devices can be used with the car. Eg you can only set them up with device bluetooth enabled while in the car with car turned on to reduce the likelihood of someone picking random VINs and connecting.
It's such a basic and stupid mistake the implementer of this software really wants sacking.
It only takes basic effort eg to link the VIN to the MAC of the device used and have some kind of restriction on which devices can be used with the car. Eg you can only set them up with device bluetooth enabled while in the car with car turned on to reduce the likelihood of someone picking random VINs and connecting.
It's such a basic and stupid mistake the implementer of this software really wants sacking.
The functionality has now been disabled after the publication of the blog post yesterday.
http://www.usatoday.com/story/tech/news/2016/02/24...
http://www.usatoday.com/story/tech/news/2016/02/24...
teabelly said:
I'd imagine a lot of them are programmed in similar ways with the same stupid mistakes. With every new platform the same old mistakes that were in older software resurface again.
It only takes basic effort eg to link the VIN to the MAC of the device used and have some kind of restriction on which devices can be used with the car. Eg you can only set them up with device bluetooth enabled while in the car with car turned on to reduce the likelihood of someone picking random VINs and connecting.
The car is controlled over the internet through their API (not directly in any way), so anything linked to hardware won't work. They had all they needed really - the car is registered to a CarWings account and the account has a login, it just needed the API to have authentication and checking that the car specified was linked to the account that had authenticated.It only takes basic effort eg to link the VIN to the MAC of the device used and have some kind of restriction on which devices can be used with the car. Eg you can only set them up with device bluetooth enabled while in the car with car turned on to reduce the likelihood of someone picking random VINs and connecting.
teabelly said:
It's such a basic and stupid mistake the implementer of this software really wants sacking.
Several people, including whoever was responsible for final security QA at Nissan.Email just in (translated from French):
Hello,
The application features Nissan Connect EV (formerly CARWINGS) are temporarily suspended.
We sincerely apologise for the inconvenience.
The only affected those functions are directly controlled remotely from the smartphone application. These functions are still accessible in the vehicle or from the site from a computer.
Our technical teams are working to launch as soon as the update of the NissanConnect EV application. We will inform you as soon as it becomes available.
thank you for your understanding
Nissan
Hello,
The application features Nissan Connect EV (formerly CARWINGS) are temporarily suspended.
We sincerely apologise for the inconvenience.
The only affected those functions are directly controlled remotely from the smartphone application. These functions are still accessible in the vehicle or from the site from a computer.
Our technical teams are working to launch as soon as the update of the NissanConnect EV application. We will inform you as soon as it becomes available.
thank you for your understanding
Nissan
Gassing Station | EV and Alternative Fuels | Top of Page | What's New | My Stuff